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Abstract 



We consider several applications in black-box quantum computation in 
which untrusted physical quantum devices are connected together to produce 
an experiment. By examining the outcome statistics of such an experiment, 
and comparing them against the desired experiment, we may hope to certify 
that the physical experiment is implementing the desired experiment. This 
is useful in order to verify that a calculation has been performed correctly, 
that measurement outcomes are secure, or that the devices are producing the 
desired state. 

First, we introduce constructions for a family of simulations, which du- 
plicate the outcome statistics of an experiment but are not exactly the same 
as the desired experiment. This places limitations on how strict we may be 
with the requirements we place on the physical devices. We identify many 
simulations, and consider their implications for quantum foundations as well 
as security related applications. 

The most general application of black-box quantum computing is self- 
testing circuits, in which a generic physical circuit may be tested against a 
given circuit. Earlier results were restricted to circuits described on a real 
Hilbert space. We give new proofs for earlier results and begin work extending 
them to circuits on a complex Hilbert space with a test that verifies complex 
measurements. 

For security applications of black-box quantum computing, we consider 
device independent quantum key distribution (DIQKD). We may consider 
DIQKD as an extension of QKD (quantum key distribution) in which the 
model of the physical measurement devices is replaced with an adversarial 
model. This introduces many technical problems, such as unbounded dimen- 
sion, but promises increased security since the many complexities hidden 
by traditional models are implicitly considered. We extend earlier work by 
proving security with fewer assumptions. 

Finally, we consider the case of black-box state characterization. Here the 
emphasis is placed on providing robust results with operationally meaningful 
measures. The goal is to certify that a black box device is producing high 
quality maximally entangled pairs of qubits using only untrusted measure- 
ments and a single statistic, the CHSH value, defined using correlations of 
outcomes from the two parts of the system. We present several measures of 
quality and prove bounds for them. 
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Introduction 
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1.1 States and statistics 

The main thrust behind the development of quantum formalism, and its 
main usefulness, arises from its ability to predict the outcomes of experi- 
ments. Indeed, the kinds of predictions that quantum formalism makes has 
revolutionized physics. In this thesis, however, we take a much different ap- 
proach. Instead of using quantum states and operations to determine the 
outcomes of an experiment, we will use the outcomes of an experiment (or 
rather the distribution of outcomes) to determine the quantum state and 
operations. 

Why would we want to do this? As quantum formalism moves from the 
role of a theoretical tool in describing the functioning of the universe to an 
integral part of technological developments it becomes more important that 
physical devices are operating as we believe them to be. This is no more 
apparent than in the case of quantum key distribution in which we posit the 
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existence of an adversary who actively subverts the functioning of physical 
devices and modifies quantum states. In experiments intended for academic 
applications we may rely on academic integrity and repeatability to establish 
that results are correct, but in the world of security we must be sure that 
each time we use a device it actually behaves as we believe it to behave, 
without the benefit of time, repetition, and expert opinion. Indeed, we may 
have little to go on besides the assurances of the device manufacturer. 

Into this context we introduce the concepts of self-testing, device inde- 
pendent quantum key distribution and black box state characterization. The 
aim of all of these techniques is to replace assumptions about a physical 
devices with a test. The test will rely solely on the classical data available 
about the devices: how are the devices connected to each other? What are 
the measurement setting? What are the outcomes? When we look at the 
probability distributions for these data we may be able to certify that the 
devices are behaving properly, or raise a red flag if the functioning of the 
devices stray from the ideal. 

1.2 Terminology 

1.2.1 Black box model 

Devices 

In this thesis we have a particular model in mind for black box computing. In 
particular, each black box device is a physical device with some combination 
of quantum and classical inputs and outputs. Devices do not communicate 
unless we allow them to by physically connecting them together. Each device 
is labeled with its intended function, but this may bear no resemblance to 
what the device actually does. 

We will concern ourselves with three main types of black box devices 

• Sources: The only sources we will use are bipartite state sources with 
two quantum outputs. They are labeled with the state they produce 
(always ^=(|00) + |11)) in this thesis.) 

• Gates: Gates will have an equal number of quantum inputs and out- 
puts. Gates will be labeled with a matrix corresponding to the unitary 
they are supposed to apply. 
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• Measurement devices: We will be concerned with single system mea- 
surements in a small number of bases. They have one quantum input 
and one classical output (one bit in all the cases we consider) . We may 
consider the different measurement bases to be implemented in differ- 
ent physical devices, or there may be a classical input which specifies 
the basis in which to measure. Measurement devices are labeled with 
the basis (or bases) in which they measure. We will model measure- 
ments as Hermitian observables. We may easily translate the more 
general POVM formalism into such a description using Naimark's the- 
orem [Nai40j . Since the dimension of the Hilbert space is not fixed this 
poses no problems. 

Device interaction 

We need the devices to be able to interact in order to form circuits, but 
not in an unlimited fashion. If unlimited communication were allowed, then 
the various devices could operate as a single device with a classical con- 
spiracy. An ideal interaction, from the verifier's point of view, would allow 
only one-way communication. This would greatly simplify models. Two way 
communication could lead to a situation equivalent unlimited communication 
depending on which devices were connected simultaneously. For example, if 
all devices were simultaneously connected and the graph of their connections 
were connected then any two devices could communicate through intermedi- 
ate devices. 

One way to enforce one-way communication would be to use a number of 
identity gate devices and pairwise communication. If we wish for device D\ 
to send a state to D 2 we first interact D\ with an identity device I and the 
interact / with D 2 . This guarantees that no communication occurs from D 2 
back to D\. 

State preparation 

With black box devices we have no control over what state the device has 
at its disposal. We might interact a device with a source, but the device 
may disregard the source and use a state that it already had in memory. In 
this way, gate and measurement devices may share an arbitrary amount of 
entanglement. However, this does not give the adversary any more power 
since we can replace a state in memory with one prepared in the source. For 
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this reason, we will generally speak of the state as being prepared by the 
source device without loss of generality. 

1.2.2 Reference experiments and simulations 

Experiments 

The usual way of arranging quantum gates is into a quantum circuit, which 
consists of a state preparation followed by several unitary gates and finally a 
measurement. For our purposes this will not be sufficient. In particular we 
will need to measure in several different bases chosen classically by an agent 
outside the circuit. We will refer to this type of quantum apparatus as an 
experiment. An important distinction to be made is between the experiment 
we wish to implement, and the experiment that is actually implemented by 
the quantum devices. The first we call the reference experiment, and the 
second the physical experiment. 

Each experiment will have several classical inputs which determine mea- 
surements to be made, which we call the measurement settings. The statistics 
generated by an experiment is the probability distribution of the measurement 
outcomes, conditioned on the measurement setting. Another important as- 
pect of an experiment is the topology. This is the division of the experiment 
into distinct elements, each implemented by a single device, and the connec- 
tions between these elements. A typical topology consists of a bipartite state 
preparation device connected to two measurement devices. Importantly, we 
assume that no signalling occurs between devices that are not explicitly con- 
nected in the topology, and if there is some physical channel then this cannot 
be used to communicate backwards. 

Assumption 1.1. No communication occurs between quantum devices that 
are not explicitly connected. Further, quantum communication from the out- 
put of one device to the input of another device is one-way. 

Simulations 

The verifier has two pieces of information about an experiment. First, the 
topology is known, since the verifier is responsible for it. Second, the ver- 
ifier may estimate the statistics generated by the experiment, provided the 
experiment behaves the same each time it is used. 
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Assumption 1.2. The quantum devices behave the same each time they are 
used^\ 

The verifier has a particular reference experiment in mind and wishes to 
implement it. The verifier then builds a physical experiment with the same 
topology as the reference experiment using quantum devices and estimates 
the statistics it generates. Then the verifier may check if the statistics match 
those generated by the reference experiment. 

Definition 1.1. If a physical experiment generates the same statistics as a 
reference experiment with the same topology, then the physical experiment 
simulates the reference experiment. 

We will wish to compare the physical and reference systems in various 
ways. Our goal will always be to show that they are the same in some way or 
another (or determine they are not and abort.) The raw data that we obtain 
from any interaction with the physical system will be in the form of classical 
outcomes from measurements. These classical outcomes are obtained from 
probability distributions that are determined by the physical system. 

Another important concept that we will sometimes refer to is that of 
a conspiracy. A conspiracy is any behaviour of the black box devices that 
attempts to defeat a test without actually implementing the reference circuit. 
One example is for a circuit to classically calculate statistics for a circuit, 
rather than implementing the circuit. This classical conspiracy immediately 
implies that we must use non-locality in our testing, since any circuit that is 
implemented locally has a classical conspiracy. 

1.3 Summary of new results 

Simulations 

In chapter 2 we consider simulations of circuits, which are other circuits 
which produce the same outcome statistics as a reference circuit. The first 
main result of this section will be to develop a means of transforming a 
reference circuit into a simulation circuit which is described using only real 
numbers. Although such a simulation was known in limited contexts, the 
simulation we develop works for multi-partite systems general operations such 

We will consider less restrictive behaviour in Chapter H 
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as completely positive maps, POVMs (positive operator valued measure), and 
Hamiltonians. The second main result is to describe a family of simulations 
that generalizes the real simulation. 

The real simulation developed is interesting from the perspective of quan- 
tum foundations. In particular, the simulation proves that there are no exper- 
iments which distinguish between quantum physics over real Hilbert spaces 
and quantum physics over complex Hilbert spaces (which we will from now 
on refer to as real quantum physics, and complex quantum physics, respec- 
tively.) From the point of view of quantum foundations this eliminates the 
need to specify which of these two fields to use. In this spirit we also con- 
sider other number systems that might be used, specifically quaternions. We 
show that if we use the quaternions it is possible to implement a non-local 
box, which allows for stronger non-local effects than can be achieved within 
complex quantum physics. In principle this allows for an experiment which 
can distinguish quaternionic quantum physics from complex quantum physics 
(although not the reverse, since complex quantum physics is contained within 
quaternionic quantum physics.) 

Finally, in chapter 2 we consider the security of cryptographic protocols 
the are implemented using simulations from the continuum described above. 
We show that for a limited class of protocols (where all operations of the 
honest parties are measurements) security is not compromised as compared 
to the reference protocol. 

Self-testing 

Self-testing is the workhorse of black box computing. It allows us to test 
generic quantum circuits, and can be adapted to use with cryptographic 
protocols such as QKD. In this area our major contribution is new proofs for 
the major results (state and measurement testing, and gate testing.) The 
new proofs are simpler and much easier to understand. In the case of gate 
testing, we provide new proofs for two technical lemmas whose original proofs 
relied on incorrect assumptions. 

Besides new proofs, we also introduce a new test for states and measure- 
ments. The previously known test used only measurements with real entries, 
whereas our new test introduces extra measurements which have complex 
entries. This paves the way for gate testing of arbitrary gates, where the 
previous test was only applicable to gates with real entries. 
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Device independent quantum key distribution 

Device independent quantum key distribution represents a new approach to 
QKD security proofs by using an adversarial device model for the partici- 
pants' quantum devices. The goal is to provide higher security by removing 
untestable assumptions and replacing them with physical tests. Previous 
work in this area identified the main problems, introduced a usable protocol 
and produced a limited security proof (analogous to security against collective 
attacks in the usual QKD model.) Our contribution is to push the security 
boundary further by proving security against a larger class of attacks. These 
attacks allow arbitrary states and relax the assumptions on the devices. We 
also introduce new proof techniques to DIQKD, adapting security proofs used 
for traditional QKD using the quantum de Finetti theorem. 

Black box state characterization 

We finally consider black box state characterization. The goal is very much 
similar to that of state and measurement testing we discuss in chapter 3: to 
test a state preparation device using only untrusted measurements. However, 
the focus is placed on finding a robust result, measuring the quality of the 
state with an operationally meaningful definition (in this case, using fidelity.) 
Our contributions are to find suitable definitions for measures of quality (we 
introduce several) and to prove bounds using these definitions. We also 
discuss the relationship between the various definitions. 
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2.7.4 Quaternionic non-local boxes 



2.1 Introduction 

Suppose that a physical experiment simulates a reference experiment. What 
can we conclude? As we shall see, the answer to this question will be quite 
sensitive to the topology and specific construction of the reference experiment 
and will vary from nothing to quite strong statements about the structure of 
the physical experiment. Before we consider this question, however, we look 
at the complementary question: what can we never hope to conclude? 

We will have to be quite specific about the topologies that we consider. 
For example, take a topology with only one part (i.e. a single-partite state) 
with a simple reference experiment that implements a search by iterating 
through a list. This experiment can be simulated by a Grover search, or a 
procedure that sorts the list and performs a binary search. The structures 
of these experiments are quite different. We will not be interested in these 
types of specific simulations. Instead, we wish to find general procedures for 
producing a simulation of a given circuit. 

Contributions 

In this chapter we make many original contributions. First, we extend the 
well known real circuit simulation (described below) to allow POVMs, mixed 
states, CP maps, and continuous time evolution, completing the suite of 
general tools used in quantum formalism. Next we show that the real simu- 
lation may be applied in the case of multipartite evolution through the use 
of entangled states. 

The real simulation is then generalized to a large family of simulations. 
The simulations share a common construction for operators and differ in their 
states. Roughly, the simulations are formed as a mixture of the reference 
experiment and its complex conjugate. 

Later, in chapter [3j we will discuss how we can ensure that a physical 
experiment is one of the generalized simulations. We may wish to use the 
physical experiment in a cryptographic protocol, in which case the secu- 
rity properties of the experiment become important. We show that, for a 
restricted set of protocols, the security properties if implemented by a gener- 
alized simulation are identical to if implemented by the reference experiment. 
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Finally, we consider some issues in quantum foundations. Specifically, we 
discuss how the real simulation implies that the quantum formalism produces 
identical predictions whether the real numbers or complex numbers are used 
as the underlying number system. As well, we briefly consider the possibility 
of using the quaternions instead of the real or complex numbers and show 
that there exists an experiment for which the quantum formalism over the 
quaternions allows for different predictions than are possible with the usual 
quantum formalism. 

Some of the original material in this chapter was presented in |MM07| 
and published in [MMG09J. Further material is available in |McK09b] and is 
to appear in |MMarj . 



2.2 Literature review 

The concept of a simulation is widespread in the field of quantum computing, 
although the notion is usually more general, requiring only that the statis- 
tics of the measurements are the same as, or approximately the same as, the 
reference system. As an example, Aharonov et al. |AvDK + 04] showed that 
adiabatic quantum computing is equivalent to the circuit model by describ- 
ing how to construct an adiabatic simulation for any given quantum circuit. 
Another family of examples is the various constructions for universal sets of 
quantum gates (see Nielsen and Chuang |NC00] ) where a new circuit con- 
taining only gates from a restricted set is constructed from a given circuit. 
In some of these constructions the outcome statistics are only approximately 
the same as in the given circuit, although the error can be made arbitrarily 
small. In all these constructions the form of the system is changed, and only 
the outcome statistics are the same. However, despite the difference in the 
system the final state is approximately the same as in the reference system 
(with an ancilla, in the case of adiabatic computing). 



The simple real circuit simulation, described below in section 2.4.1 , gen- 
eralizes work by Rudolph and Grover |RG02j . Their simulation construction, 
like those for universal gate sets, has a restricted set of gates described us- 
ing only real numbers, but the final state is in general not the same as in 
the reference circuit. The construction is well known outside of Rudolph and 
Grover's work. It also appears, for example, in work by Stueckelberg [Stu60j . 

The simulation constructions considered so far have not aimed at preserv- 
ing any of the topology of the reference system. This makes them unsuitable 
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in situations where the division into multiple physical systems is important, 
as in the case of Bell inequalities. However, Pal and Vertesi |PV08j con- 
sidered exactly this situation. In particular, they considered the scenario of 
two physical systems with local measurements. Their result, derived inde- 
pendently of the results presented here, provided a simulation construction 
that duplicated the outcome statistics with measurement observables and 
states described using only real numbers. Importantly, the measurements 
in the simulation are local, so that the division into two physical systems is 
respected in the simulation. 



2.3 Unitarily equivalent simulations 

We first explore various simple modifications on the reference system that do 
not modify the outcome statistics. We call the results of such modifications 
unitarily equivalent simulations. The idea we wish to convey with this termi- 
nology is that the experiment has been modified in a way that is analogous 
to a change of basis, or changing the description of the Hilbert space. 

One obvious and simple modification of a circuit is to make a change of 
basis. We must be careful in order to respect the division of the circuit into 
multiple systems. For this reason we consider only local changes of basis. We 
apply the change of basis (i.e. a unitary) to the initial state and conjugate all 
unitaries and measurement observables in the circuit by the change of basis 
operation. The outcome statistics are unchanged and the circuit is not the 
same. 

A local change of basis may also be made between operations. The idea 
here is that a wire between two unitaries represents a quantum channel that 
carries the state from one physical device to another. This quantum channel 
may be anything so long as it faithfully preserves the state. In particular, 
the channel may apply some arbitrary change of basis at the beginning, and 
then reverse the change of basis at the end. We may incorporate this change 



of basis into the two unitaries, as shown in figure 2.2 As an extension of this 
principle, if multiple wires leave one gate and enter another, we may apply 
a change of basis to all the wires simultaneously. 

An experiment may be described on a particular Hilbert space, but the 
entire space may not be necessary to describe the state (i.e. if the support 
of the state is not the entire Hilbert space.) In this case the operation of the 
gates outside the support of the state may be changed without modifying 
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Figure 2.1: Local change of basis on a wire 
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Figure 2.2: Local change of basis between gates 



the functioning of the experiment. In addition, the Hilbert space may be 
changed, either embedded in a larger Hilbert space or reduced to only a 
subspace without modifying the functionality of the experiment. The idea 
here is that our model of the system need not consider dimensions that 
the state does not visit, or our model may be changed arbitrarily on those 
dimensions without changing how the experiment operates. 

Finally, we consider ancillas. The presence of ancillas does not change 
the outcome statistics provided that the unitaries operate independently on 
the ancillas and the measurements do not operate on the ancillas. The state 
of the ancilla does not matter, so we may consider ancillas added to each 
system in the experiment, prepared in any state. 

Of course, any combination of the modifications would not change the 
outcomes, and so would produce a simulation. After many such modifications 
the simulation may not look very simple, but the underlying operation of the 
experiment is essentially untouched. Rather, the way that we are describing 
it has changed since the choice of basis, division into systems and ancillas, etc. 
are all a product of our description of the experiment rather than inherent 
in the experiment itself. 

One final modification of a experiment is to take the complex conjugate 
of every state and operation in the circuit. Obviously this does not change 



12 



the outcome statistics, and the experiment will not be the same unless every 
element in the circuit has only real entries (in the same basis in which we 
apply the complex conjugation.) However, there is no unitary operation 
that implements complex conjugation, so we will not consider it as unitarily 



equivalent. We will consider it more fully later in section 2.5 



2.4 Real simulation 

2.4.1 Simple real circuit simulation 

We first show a way of arriving at a real simulation of a given reference 
circuit Q This is based on the observation that the complex numbers are a 
two dimensional real vector space. We can thus, at least formally, represent 
an arbitrary quantum state as a real vector as follows 

X X 

(a„ and real numbers representing the real and imaginary part of the 

complex number a x .) Here we have simply replaced the two dimensional 
vector space spanned by 1 and i by a qubit. The new state has the correct 
norm as a consequence of the formula 

KI 2 = K) 2 + K) 2 - 

Summing over x on the left side gives us the norm of the reference state, while 
summing over x on the right side gives us the norm of the simulation state. 
This also shows that we can measure the \x) register on the simulation state 
in the computational basis and obtain outcome x with the same probability 
as in the reference state. 

So far we have shown how to simulate states and measurements in the 
computational basis. Now we show how to simulate unitaries. This is more 
complicated since we need to simulate, not only the norm of complex num- 
bers, but the multiplication of complex numbers. Intuitively we can make a 
unitary work by making sure that the multiplication involved with each of 
the entries in the unitary matrix works. 

1 This simulation has been present in the folklore for some time. 
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Suppose that we have two complex numbers a, and b that we want to 



multiply together. We represent a by the vector J • We want to multiply 
this vector by a suitable matrix derived from b so that the result is the vector 

ab) R \ 
{ah) 1 ) ■ 

To get the real part we need a R b R — a I b I , so the first row of the matrix should 
be (b R , —b 1 ). For the imaginary part we want a R 6 7 + a 7 6 fi , so the second row 
should be (b 1 , b R ). Thus the matrix we want is 

b R _ b i 

To transform a matrix of complex numbers, we will replace each complex 
number by a 2 x 2 submatrix corresponding to the complex number as above. 
It is easily shown that this transformation takes unitary matrices to unitary 
matrices and, as intuition suggests, the resulting unitary maps the simulation 
state to correctly track the evolution of the reference state. 

2.4.2 Complex numbers as matrices 

The intuition in the previous section can be made much more rigorous by 
using a simple field isomorphism. 

Lemma 2.1. Define R : C ->• M 2 (R) by 

R(a) = a R I + a*XZ 

where 



XZ = 



-1 

1 



is the product of the Pauli matrices X and Z . Then R is an isomorphism 
between C and its image under R. 

The map R naturally extends to matrices and vectors, mapping n x n 
matrices to 2n x 2n matrices, and n vectors to 2n x 2 matrices. To be more 
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rigorous, R maps n x n matrices over the complex numbers to n x n matrices 
over 2x2 matrices, which is naturally mapped to 2n x 2n matrices. 



R 



a b 
c d 



( 




-a 1 






a R 




fc R 


-<? 




U 


C R 



b R _ b i\\ 
b I b R J 

d R -d'\ 
d 1 d R ) ) 



f a R -a 1 b R -b R \ 



V 1 



a R b I b R 

-c 1 d R -d R 
c R d 1 d R J 



It will frequently be useful to have the matrices output from R to be 
defined over a tensor product space. Specifically, if we are dealing with the 
Hilbert space H then we consider the output of R to be Using Dirac 

notation we can then describe R by 



R \Y< u *y I^Xfl = H « J + <v xz ) ® \ x )(v\ ■ 



x,y 



We now give some properties of R, which are easily verified. 

Lemma 2.2. Let operators M and N (which may have 1 column) be given. 
Then 

1. fl(Mt) = R(M) T = R(MY 

2. R(A + B) = R(A) + R(B) 

3. R(AB) = R(A)R(B) 

4- If M is normal and has (non necessarily distinct) eigenvalues then 
R(M) has eigenvalues and \* k . 

5. If M is positive semi- definite, then R(M) is positive semi-definite 

6. If M is unitary, then R(M) is unitary 

7. If M is Hermitian then R(M) is Hermitian and Tr(R(M)) = 2Tr(M) 

Proof. Items 1 to 3 are easily verified. We prove item 6 first. If M is unitary 
then MM^ = I. Applying item 3 we find 



R(M)R(My = R(I) = 7(g) I 



(2.1) 



so R(M) is also unitary. 
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We now prove item 4. The remaining items follow immediately. Diago- 
nalize M as UMW = D. Then 



R(U)R(M)R(uy = R(D) 



(2.2) 



Since R(U) is unitary the eigenvalues of R(M) are the same as the eigenvalues 
of R(D). R(D) is 2 x 2-block diagonal, with the kth block equal to R(Xk)- 
We may calculate the eigenvalues of R(\k) directly, using the characteristic 
equation 



2.4.3 Real simulation states and measurements 

The map R lets us, at least formally, describe everything quantum using 
matrices instead of complex numbers. We now show that we can modify R 
slightly so that it maps quantum states to quantum states, quantum evolution 
(both discrete and continuous) to valid quantum evolution on the simulation 
states, and quantum measurements to valid measurements that output the 
correct statistics from the simulation states. 

Density Matrices 

Let p be a density matrix. Then p' = R(p) is positive. We now come across 
a small problem, since the trace of p' is 2 instead of 1. We can easily deal 
with this by multiplying p' by 1/2. Below we will show that this is necessary 
in order to obtain the proper outcome statistics for measurements. 



Let {Pk} be a collection of positive matrices with Ylk^k — In- Then the 
matrices {P' k = R(Pk)} are all positive and 




(2.3) 



□ 



POVMs 



k k 



Thus {P' k } is a valid POVM. 
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Measurement statistics 

We will verify the measurement statistics for POVMs, since any measurement 
can be expressed as such. Let p be a density matrix and {P k } be a POVM. As 
previously discussed, our simulation state will be given by the density matrix 
pf = R(p)/2 and the simulation POVM will be given by {P' k = R{P k )}. In 
the reference system the probability of outcome k is given by 

Tr (pP k ) = p k 

Applying R, we obtain 

p k = Tr(pP k ) = 1 -Tr(R(p)P' k ) = Tr(p'P^) . 

Pure states 

We began our discussion of real simulations by giving a transformation that 
takes pure states to pure simulation states. However, our transformation 
R does not have this property, since R takes vectors to matrices with two 
columns. Nevertheless we can define a pure simulation state for each pure 
reference state. 

Let be a pure reference state. We then have = 1. Transforming 

by R we obtain 

R(m T R(m = i H2 

Thus the two columns of R(\ip)), which we will denote u and v, are orthogonal 
and norm 1 and each represents a valid pure state. In fact, these two vectors 
span the 1 eigenspace of R(\i(j){i(j\) . Now consider a reference POVM element 
P k . The probability of outcome k is P k \ip) = p k . Transforming by R we 
obtain 

Tr n (R(m T R(P k )R(\4>))) =p k I n2 

This tells us that 

u ] R(P k )u = p k , v ] R(P k )v = p k 

so the two pure states u and v give the same probability for outcome k as 
the reference experiment. Now if we want our simulation to use a pure state 
instead of the rank 2 density matrix, we can choose either u, v, or in fact 
any normalized linear combination of the two and still obtain the correct 
outcome statistics. 
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This curious splitting of a pure state into two pure simulation states has 
a nice interpretation. We return briefly to our original pure simulation state 
derived from the reference state given by 

J>£ + ia' x ) \x) 1°) + < I 1 )) \ x ) • 

X X 

We now multiply our reference state by the global phase % and apply the 
transformation, giving the state 

E K - ia x) i*> E ("-I 1 ) - a ' \ x ) ■ 

x x 

A quick calculation shows that this state is orthogonal to the previous state. 
In fact, we can multiply by any global phase and obtain a linear combination 
of these two states which are exactly the two columns of R(\ip)). This means 
that we can consider the ambiguity in this 2-dimensional subspace to be 
equivalent to the ambiguity in assigning a global phase. 

2.4.4 State evolution 

We have already shown that R(-) maps unitary matrices to unitary matrices. 
We thus turn our attention to completely positive maps and continuous time 
evolution. 



Completely positive maps 

Let = J2k MkpMl be a completely positive trace preserving map. Then 

Y,MlM k = I. 

k 

Let = Yjh R( M k)pR(M k y . Then $' is completely positive, by its form. 
It is also trace preserving, since 

E R { M k) ] R{M k ) = R (j2 M l M kj = R{Ih) = In*® In 
k \ k J 

where 7^ 2 is the identity operating on the qubit added by R. 
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Hamiltonians 

For Hamiltonians, as with density matrices, we must make a small departure. 
Recall that a quantum state evolves according to 

\m) = e- mt m,)) . 

In order to maintain proper normalization, e~ tHt must be unitary. We ensure 
this by requiring that H be Hermitian. Thus —iH has imaginary eigenvalues 
and e~ lHt will have eigenvalues which have absolute value 1. 
We now apply R(—iH) = R(—i)R(H) to obtain 

|V/(f)> = |^(t )> • 

Here we have replaced R(t) = tl with t. When considering everything over 
the field R(C) the value R{—i) = XZ is a scalar. Here we can replace this 
with the matrix — XZ <g> Iy_ to obtain 

\tf,'(t)) = e - xz ^ R{H)t \if/(t )) • 

By the properties of R we see that — XZ <g> I^R[H) will have imaginary 
eigenvalues and thus e - xz ® I nR{H)t w jjj un j^ ar y We can a i so use the Taylor 
expansion and see that each term has only real entries. Thus e ~ xz ® I HR{H)t 
will have only real entries for each t. 



Choi-Jamiolkowski representation 

Interestingly, despite the success so far, R does not correctly transform the 
Choi-Jamiolkowski representation J(-) of a superoperator, which we discuss 
in section 3.5.2 The salient feature is that J(-) is rank 1 if the superoperator 
is unitary. Since R(J(U)) for some unitary U will have double the rank of 
J(U), R(J(U)) does not represent a unitary operation despite the fact that 
R(U) is unitary. Thus R(J(U)) ^ J(R(U)). This is analogous to the fact 
that pure density matrices are mapped by R to rank 2 matrices. 



Other encoded operations 

A curious result of the real simulation is that it allows us to perform encoded 
operations which are not possible on the reference system. For example, we 
can apply X to the extra qubit and effect a complex conjugation! In this way 
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we can apply any anti-unitary. We can also perform global phase rotations 
and measurements by suitably manipulating the extra qubit. So even though 
we cannot apply these operations to the reference system, we can simulate 
what the outcome would be if we could. 

2.4.5 Real simulations and locality 

The simulation presented in the previous section deals with single systems 
only. If we are dealing with a multi-part system, then R will not generally 
map a local operation to a local operation. This is because we added a 
qubit in order to store the phase information and this qubit must be stored 
somewhere. Any operation involving complex numbers will be mapped to an 
operation that acts non-trivially on this extra qubit. 

We now present a solution to this problem. We suppose that the reference 
system has k subsystems. The real simulation will consist of k subsystems, 
each of which corresponds to a reference subsystem with one added qubit. 

A simple idea would be to add an extra qubit to each subsystem and 
perform the real simulation as though each subsystem were isolated. In this 
situation, a local operation on a particular subsystem would be mapped using 
R as in the previous section to an operation on the subsystem combined 
with its extra qubit. This idea quickly fails since the state would be free 
to move about the entire 2 k dimensional space of the k extra qubits. The 
isomorphism with C no longer works because it only has 2 dimensions as a 
real vector space. 

We can fix the naive solution above by constraining the extra qubits to 
be in a suitable 2-dimensional subspace. It turns out that we can do this 
merely by choosing a suitable initial state for the qubits. The operators will 
be as described in the naive solution. 

Consider a phase change of i applied to one of the subsystems. We require 
that this phase change combined another phase change of i to a different 
subsystem results in an overall phase change of —1. This means that we 
need the state to be a +1 eigenvector of — {XZ) m {XZ) n where m and n are 
two different subsystems. Each of these operators can be generated using 
operators of the form —(XZ)i(XZ) m for different m, so there are k — 1 
independent operators. Thus there is a 2-dimensional subspace stabilized by 
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these operators. The space 

h(x)odd 

where x ranges over all k bit strings. 

With a bit of accounting it can be seen that if we apply XZ to any one 
of the k qubits, the effect is to take |o) to |l) and |l) to — |o). Thus these 
non-local states, together with the local XZ operations, behave exactly as a 
qubit with its XZ operation. We can now create local simulation operators 
from local reference operations by replacing (XZ) m for XZ in our definitions 
of R. 

2.5 General simulations 

The real simulation revealed that there exist non-unitarily equivalent simu- 
lations, but is this the only non-unitarily equivalent simulation? The answer 
to this is no. In this section we will develop a large family of simulations. 
As we shall see, in section [377] , there exist experiments for which the general 
simulations described here (along with the unitarily equivalent simulations) 
are all possible simulations. 

Interestingly, if we confine ourself to experiments on a real Hilbert space, 
then the general simulations all collapse to unitarily equivalent simulations. 
This allows the self-testing Theorems to be successful for such experiments, 
as we shall see in chapter [3j 

2.5.1 States and measurements 

Consider a reference state \ip) measured according to a reference POVM 
{Pfc}]^] We may duplicate the statistics of this experiment using the complex 
conjugate state \ip*) and POVM {P£}- In addition, we could do some com- 
bination of the two. We may add an additional qubit register which records 

2 We may consider mixed states as well, but it is not necessary for our discussion since 
we may consider the purification of a mixed state. 



is spanned by the vectors 

h(x)even 
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which of the two experiments to perform: |0) for the reference experiment, 
and |1) for the complex conjugate. This qubit may be in any state, and not 
necessarily pure. We then arrive at new state 

p > = a |0}<0|g#}(V'|+(l-a) |l)(l|®|^)(^|+c |0}(l|<g#XV>*|+c* |1>(0|®|</>*>(^| 

(2-4) 

with a > and |c| < \/a(l — a). The important feature is that when we 
project onto |0)(0| or |1)(1| we get either \ip) or \ip*), respectively. For the 
measurement, we form the POVM 

{|0)(0|®P, + |l)(l|®P fc *}. (2.5) 

This POVM measurement is equivalent to measuring the added qubit, col- 
lapsing the state into either or |-^*) and then measuring either {Pk} or 
{P^} as appropriate; thus the statistics of the experiment are preserved. 

2.5.2 Operators 



We can extend the measurement operator defined in |2.5| to arbitrary opera- 
tors. We define 

C{M) = |0)(0| ®M+ | X >< 1 1 ®M*. (2.6) 
Note that C(M) can be expressed differently as 

C{M) = I ®Re{M)+iZ ®Im{M) (2.7) 

where Re(M) and Im(M) are the real and imaginary parts of M (both real 
matrices). 

We summarize some of the properties of C (M) here 
Lemma 2.3. Let M and N be matrices. Then we have the following: 

1. C{MN) = C{M)C{N). 

2. C(M + N) = C(M) + C(N). 

3. Let a be a real number, then C(aM) = aC(M). 

4- If is an eigenvector of M (normal) with eigenvalue X, then |0) \tp) 
and |1) l^*) are eigenvectors of C(M) with eigenvalues A and X* , re- 
spectively. 
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5. C(M) is Hermitian if and only if M is. 

6. C (M) is unitary if and only if M is. 

7. C(M) is positive semi- definite if and only if M is. 

8. When M is Hermitian, Tr(C(M)) = 2 Tr(M) . 

These properties can be derived easily. In fact, R(-) and C(-) are related 



by a unitary transformation, as will be seen in section 2.5.4 



Discrete time evolution 

The properties of C(-) allow us to easily determine how the simulation states 
in the continuum evolve. Let U and \ip) be a reference unitary operation and 



state and let p' be as in equation 2.4 By the form of C(U) we have 



C(U)p'C(Uy = a |0)(0| ® U IV-XVI + (1 - a) |1)(1| ® C/* |^*)(V>*I 

c |0)(1| ® U \i)W\ U T + c* |1)(0| ® C7* I^X^I 

But this is the simulation state for [/ 1-0), and hence C(U) evolves the sim- 
ulation state to produce a new simulation state corresponding to U 
Compositions of unitaries will also evolve the state correctly so that the 
measurement statistics at the end of a circuit will be identical to that of the 
reference circuit. 

General quantum operations may be mapped similarly. It is easy to 
verify that in Krauss representation a completely positive map is mapped to 
a completely positive map if we apply C(-) to each of the Kraus operators. 
The trace preserving property is also preserved. Applying the properties of 
C(-) we see that 
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Continuous time evolution 

We begin with a Hamiltonian H. Instead of applying C(-) to obtain the 
simulation Hamiltonian, we make a small modification, introducing a —1 on 
the complex conjugated part, thus 

H' = |0)(0| ®H- 1 1 >< 1 1 ®H*. (2.9) 

This reflects the fact that complex conjugating a Hamiltonian corresponds to 
time reversal. The evolution of the state will be according to the Schrodinger 
equation 

U{t) = e- im (2.10) 

We may take advantage of a property of the exponential function, namely 
exp(v4 + B) = exp(A) + exp(B) — I when AB = = BA, which may be 
easily verified by examining the Taylor expansion. Since |0)(0| |1)(1| = we 
obtain 

e -iH't = e -i|0X0[®JR + e i\qi\9H*t _ j (2.11) 

We now use another property of the exponential function: exp (P <g) A) = 
P <g> exp (A) - P ®I + I when P 2 = P. We obtain 

e- iH>t = |0)(0| ® e~ lHt + | X>< 1 1 ® e iHH . (2.12) 

Finally, we use the Taylor expansion and the fact that a* b* = (ab)* to see 

e *^* = ( e (iff't)*)*=(e- <Ht )*. (2.13) 

Thus 

e -iH't = C ( e -iHt^ ( 214 ) 

and the simulation evolution tracks that of the reference system. 

Another way to think of this is similar to that used in the real simulation 
in section 2A There, rather than considering the Hamiltonian alone, the 
whole matrix in the exponent, —iHt, was considered. Applying C(-) to this 
matrix we obtain 

|0)(0| (8) (-iHt) + |1)(1| g> (-iHt)* = i (|0)(0| ®H- |1)(1| ® H*) t. (2.15) 

Here the fact that a* b* = (ab)* means (—iH)* = iH* and the —1 factor is 
explained. 
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2.5.3 Non-local computations 

The above family of simulations suffer from the same problem as the real 
simulation: every operator must have access to the extra qubit added in 
the simulation. This makes the simulations unsuitable for multi-party com- 
putations. This problem can be solved in the same manner as for the real 
simulation. There an extra qubit was added for each party in the computa- 
tion and an entangled state was prepared across these qubits. New operators 
were then defined that interact with these qubits locally in order to have the 
same effect as the single qubit in the original real simulation. 

In order to perform the simulation correctly, each party needs to know 
whether to apply the original operator or the complex conjugate. For classical 
mixtures this is no problem, since this information can be stored in a local 
classical bit for each party. For quantum mixtures, the extra qubit is encoded 
in a logical qubit which is stored across a number of qubits, each located with 
a different party. More specifically, each party has a qubit and the combined 
state is prepared in the GHZ-like state 

a|00...0) \ip'). (2.16) 

Each party can perform a desired unitary by applying the operator specified 
in equation |2.7| with the Z operator acting on their local qubit. We see that 
the Z operator introduces a —1 phase on the imaginary part of the operator 
when the local qubit is in the state 1, thus applying the complex conjugate 
of the operator. 



2.5.4 Real simulation in the continuum 



The real simulation (section 2.4) can be expressed as a simulation in the 
family defined above through a change of basis. Starting with the state 
defined for a = (3 = ^ we have 

hA') = ^|o)hA) + ^|i) W). 

We next apply a Hadamard gate followed by the relative phase rotation 

1 

-i 
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to the extra qubit. This is the same as applying the unitary 



U=( \ ]). (2.17) 



-% % 



The resulting state is 

1 
2 

which can be rewritten as 



0)(|^) + l^»-o|l>(W-|^)) 



|0> i2e(|V)) + |l>/m(|V» 

and the real simulation is recovered. 

Operators are transformed quite easily. For operator M we conjugate 
C(M) by U <g) /. From 2.7 we see that the resulting operator is 

(U ® /) C(M) (17+ <g> J) = J <g> i?e(M) Jm(M) (2. 18) 

which is exactly the operator used in the real simulation for M. 

For the multiparty real simulation the extra qubits added for each party 
must also be transformed correctly. We start with the state 

_L|oo...o)|^) + -^|ii...i) 

We now apply a Hadamard gate to each extra qubit, resulting in the state 

V X V X 

where h(x) is the Hamming weight (number of Is) of the bit string x and k 
is the number of parties. Collecting terms gives 

even odd 

We now apply the relative phase rotation as above to each extra qubit, re- 
sulting in the state 



even odd 
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which is the correct state for the multi-party real simulation. 

Another way to see this latter transformation is in terms of stabilizers. 
In [MMG09] it is noted that the entangled states used in the simulation are 
stabilized by Y s ® Y t for distinct s, t. Also note that the states used in the 
simulations defined here are stabilized by Z s <g> Z t for distinct s, t. The qubit- 
wise transformation applied transforms Z into Y. Collecting terms for the 
real and imaginary parts completes the transformation. 



2.6 Simulations in a cryptographic setting 

Suppose that two or more parties are engaged in a cryptographic protocol us- 



ing self-tested apparatus. Later, in section 3.7 we will develop the extended 



Mayers- Yao test which allows them to determine that the devices are imple- 



menting a simulation from the family of simulations described in section |2.5| 
Suppose further that the adversary, Eve, knows how the devices are imple- 
mented (she provides them) and controls the preparation of the state. The 
honest parties only perform operations as specified for the simulation. Eve, 
on the other hand, is free to interact with the extra qubits in the simulation 
in any way she likes. Does this give any advantage to Eve? 

Eve can potentially perform many operations, including entangling a 
qubit of her own with the extra simulation qubits allowing her to perform 
simulation operations. She may also interact in complex ways with the ex- 
tra simulation qubits along with the original register, including performing 
encoded anti-unitary operations. Despite this, we are able to prove that Eve 
can gain no advantage for some protocols. 

We explore a restricted class of protocols that are especially easy to an- 
alyze. These are protocols where the only operation that an honest party 
will do is a Pauli measurement. This class includes the six-state quantum 
key distribution protocol (implemented as an entanglement based protocol) 
(see [BBBW84J, |Bru98j ). Briefly, the 6-state QKD protocol uses three mea- 
surements, X, Y, and Z instead of only X and Z as in BB84. We will 
demonstrate that these protocols do not leak any more information when 
implemented using one of the simulations. 

The proof is a series of security reductions to protocols in which each 
reduction only increases Eve's power. We will show that the final protocol 
in the reduction is just as secure as the reference protocol (without the sim- 
ulation applied), hence the simulation protocol is also just as secure as the 
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reference protocol. 

For the first reduction we suppose that the participants in the proto- 
col measure their simulation qubit in the Z eigenbasis after the protocol is 
completed, and transmit the result to Eve. This does not interfere with the 
intended protocol and only increases Eve's information. Since the Z mea- 
surement commutes with all simulation operations, the participants could 
just as well have performed the measurement before the protocol began. If 
Eve is the one who prepares the initial state for the simulation (in other cases 
Eve has strictly less power) then Eve could also perform this measurement 
herself. This measurement would collapse the state to an eigenvector of the 
Z measurements and Eve's strategy would be a mixture of different strategies 
with the states each an eigenvector of the Z measurements. 

Let us examine the result of Eve choosing one of these eigenvector states. 
Each of the parties will receive their extra qubit prepared in a Z eigenvector. 
The effect of this on their operations is either to perform the protocol's 
original operation (in the case of a |0)) or the complex conjugate (in the case 
of a |1).) For Pauli measurements, only the Y measurement is affected: the 
output bit is flipped in the case of the complex conjugate. 

If every party receives the same eigenvector in their extra qubit, then the 
protocol reduces to either the original or the complex conjugate. In either 
case the security is identical to the original protocol. If the extra qubits are 
not in the same eigenvector then some Y measurements outcomes will be 
flipped and some will not. This does not affect Eve's information since she 
controls which outcomes are flipped and can undo the flips in her reckon- 
ing of the final classical information. Note that the bit flips may introduce 
errors into the protocol. If the protocol does not explicitly check for such 
errors (as does the 6-state protocol) a test for these errors may be required, 
however the lack of such a test does not leak information to Eve. Thus the 
reduced protocol is as secure as the reference protocol, and so is the simulated 
protocol. 

2.7 Quantum formalism over other rings 

In the previous sections we have shown that quantum physics over the com- 
plex numbers is indistinguishable from quantum physics over the real num- 
bers. That is to say, there is no experiment that can be designed where 
the predictions of complex quantum physics are different from those of real 
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quantum physics. The natural question to ask is whether the same is true if 
we move to quantum physics over the quaternions or other division rings. 

2.7.1 Why other rings? 

Although the amplitudes for quantum states are usually taken to be complex 
numbers, we might imagine other objects could be used. Of course these ob- 
jects must have certain properties in order to be suitable. We will argue that 
the only objects that can be used are the real numbers, complex numbers, 
or quaternions. The argument follows that of Adler |Adl 95j. 

Suppose that the amplitudes are drawn from a set V. Adler argues that, 
since all measurable quantities will reduce to real numbers, we may take 
V as a general division algebra over the real numbers. In order to define 
normalized states, and to use the square rule for deriving probabilities we 
must have a modulus function, N, which assigns a non-negative "size" to 
each element. That is, N : V > 1R + . We would like N to have the properties 

1. N(r(f)) = \r\N(<j>) 

2. N((j) + 6) < N((f)) + N(6) 

3. N((j)) > if (f) ^ 0. 

These properties are required for N to be a norm on V. Adler also imposes 
one more constraint. We begin by considering the inner product between 
two states, (a\b) G V. Inserting a resolution of the identity, we obtain 

(a|6) = £>|c> <c|&> (2.19) 

c 

where |c) runs over some basis (not necessarily including \a) or \b)). If there 
is only one non-zero term in the sum then we obtain 

(a\b) = (a\c) (c\b) . (2.20) 

Adler now imposes the restriction 

N((a\b)r = N((a\c}rN((c\b)r (2.21) 

which recovers classical probability superposition. Taking the square root 
everywhere, we obtain the property 

N((f)6) = N((j))N(6). (2.22) 
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We now apply a result due to Albert ( |Alb47j ): the only division algebras 
over the reals for which an N exists with the properties above are the real 
numbers, the complex numbers, and the quaternions. This means that the 
only number systems that can underly the quantum formalism are these 
three. (Unless, of course, we modify the formalism in some important way.) 

We have established a short list of number systems to consider. Why 
should we consider anything other than the complex numbers? From a foun- 
dations perspective we would like to eliminate all possibilities that are not 
the usual quantum formalism. If we can argue that using something other 
than the complex numbers would result in a theory that is not viable for some 
reason, then we do not need to assume the use of the complex numbers as 
an axiom. A particularly attractive outcome would be an experiment which 
eliminates other number systems. 

2.7.2 Bell inequalities and real quantum formalism 

In |Gis07] , Gisin notes that all known Bell inequalities can be maximally vi- 
olated using states and measurements described using only real numbers. 
Gisin then asks whether this is true for all possible Bell inequalities, or 
whether there exists a Bell inequality for which a higher violation can be 
achieved if complex numbers are used. If the latter is the case then such an 
inequality, and the accompanying physical experiment, could experimentally 
prove that complex numbers are required. Pal and Vertesi prove in [PV08J 
that the former is true. The results in this section provide a different and in- 
dependent proof, since their construction is different. Moreover, the present 
work applies much more generally. Indeed, there is no experiment whatso- 
ever whose outcomes cannot be duplicated by another experiment described 
using only real numbers. 

More generally, the real simulation shows that quantum formalism over 
the real numbers is the same as over the complex numbers in the following 
sense: there are no experimental outcomes predicted by complex quantum 
formalism that cannot be predicted by real quantum formalism. The refer- 
ence experiment in the complex formalism translates into the real formalism 
via the real simulation, giving the same predictions. From a foundations per- 
spective, then, the distinction is not problematic. We can use either number 
system. Of course there may be more practical reasons for preferring one 
over the other. With the real numbers, calculations may be more cumber- 
some, since a larger Hilbert space will in general be necessary. Also, many 
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Figure 2.3: Multiplication in the quaternion group 



operations are permitted by the real quantum formalism, such as an encoded 
complex conjugation, that do not seem to occur in nature, so the complex 
formalism may offer a better fitj^J This need not be a problem, however, as 
the complex formalism also allows operations, such as energy non-conserving 
operations, that do not occur in nature as well. 



2.7.3 Quaternionic quantum physics 
Quaternions 

The Quaternions (H) , first described by William Hamilton |Ham44j , are a di- 
vision ring formed by adjoining new elements, i, j, and k to the real numbers 
M. Thus a quaternion looks like 

q = a + ib + jc + kd. (2.23) 

The new elements have the properties 

i 2 = f = k 2 = ijk = -1. (2.24) 



The multiplication of the elements i, j, k is summarized in figure [273] , When 
multiplying two elements along an arrow (eg. ij) the result is the third 
element in the cycle. When multiplying backwards along an arrow (eg. ji) 
a —1 factor is added. So ij = k and ji = —k. The elements 1 and —1, of 
course, commute with the other elements. 

Just as complex numbers have a real and imaginary part, quaternions 
have a scalar and vector part. The scalar part is the part which lies on 
the real axis. We denote it by Re(q). The vector part, also called the pure 



3 Thanks to Bill Wootters for pointing this out. 
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imaginary part, is everything else, and in general is a vector in M. 3 . We denote 
it by Im(q). The scalar and vector parts of q, defined above, are R(q) = a 
and Im(q) = ib + jc + kd. 

Like in the complex numbers, we may define the conjugate of a quaternion, 
which multiplies each of the non-real parts by -1. Thus the conjugate of q is 



The norm on the quaternions is analogous to that for the complex numbers, 
i.e. 



The most important difference between the complex numbers and the 
quaternions is that the quaternions do not form a commutative algebra. This 
property will be the basis for the rest of our discussion. 

Quaternionic quantum mechanics 

Quaternionic quantum mechanics is formed, roughly speaking, by replacing 
every complex number in the usual quantum mechanics by a quaternion. 
Thus states are vectors over the quaternions, so amplitudes are now quater- 
nions instead of complex numbers. The usual norm-squared rule applies for 
deriving outcome probabilities, and discrete time evolution is described by 
unitary matrices U over the quaternions with the usual property UXP = I. 
Now the Hermitian conjugation (•) is the matrix transpose, followed by 
quaternionic conjugation. 

Although many more aspects of quantum mechanics, such as continuous 
time evolution, may be considered, these few properties will suffice for our 
discussion. For a comprehensive treatment of quaternionic quantum mechan- 
ics, see Stephen Adler's book [A dl95j . 

The tensor product problem 

The non- commutative nature of the quaternions introduces many new prop- 
erties into quaternionic quantum mechanics. The one we are most interested 
in here is the nature of multi-partite systems. 

Consider a bipartite system in the state ^= ( 1 00) + |11)). Define the uni- 
tary matrices Ri and Rj as 



q* := a — ib — jc — kd. 



(2.25) 




(2.26) 
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Ri=\n ■) (2-28) 



'1 N 

vO h 

We consider different ways that we may apply these matrices. First we apply 
Ri to the first subsystem, obtaining 4= ( 1 00) + i |11)). Next we apply Rj to 
the second subsytem, obtaining 

-L(|00)-*|11». (2.29) 

Now consider the same operations, but applied in the reverse order. We 
apply Rj to the second subsystem, obtaining ^ ( 1 00) + j 1 11)), followed by 
Ri applied to the first subsystem, obtaining 

-L(|00)+A:|11)). (2.30) 

Here we see the non-commutativity of EI in action. The two states in equa- 



tions 2.29 and 2.30 are orthogonal, but all we have changed is the time- 
ordering of two local operations on separate subsystems. 

The above problem may be stated as follows: Ri® I and / <8> Rj do not 
commute. This extends to the tensor product problem: How do we define 
Ri®Rjl Evidently the evolution of subsystems cannot be considered without 
considering the context of the system as a whole. Adler |Adl95j considers 
the same problem in the context of continuous evolution: 

We conclude, then, that in quaternionic quantum mechanics, a 
sum of N > 2 one-body Hamiltonians gives a many-body Hamil- 
tonian that does not describe N independent particles; the par- 
ticle motions are coupled through the noncommutativity of the 
quaternion algebra. (Adler [Adl95j, p. 245) 

What does this mean for locality? Is there such thing as a local transfor- 
mation? Is it possible for Alice and Bob to actually perform the operations 
Ri® I and I <g> Rj7 The formalism does not answer this question. However, 
we may address this problem in another way. If Alice and Bob can locally 
perform these operations, then they can implement a non-local box. 



2.7.4 Quaternionic non-local boxes 

The non-local box, first defined by Popescu and Rohrlich in |PR94j . is an 
imaginary device which produces non-local correlations between data in the 
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following way: Two distant parties, Alice and Bob, each have half of the box. 
They have one bit of input each, a and b, and input their bit into their half 
of the box. Each half of the box produces one bit of output, x and y, obeying 
the property 

x®y = ab. (2.31) 

The content of the famous CHSH inequality [CHSH69] is that this condition 
cannot be satisfied by a non-signalling classical local hidden variable theory 
with probability better than 0.75 when a and h are chosen uniformly at 
random. Quantumly, we can do better, but are bounded above by cos 2 n/8 ~ 
0.85, the Cirel'son bound |Cir80| . 

Now we consider the case of quaternionic quantum mechanics. Evidently 
it has stronger non-local behaviour than complex quantum mechanics, but 
how strong? Clearly we can at least achieve the Cirel'son bound since any 
strategy in complex quantum mechanics also exists in quaternionic quantum 
mechanics, but can we do better? The answer is that we simulate the non- 
local box perfectly. 

Consider the two parties, Alice and Bob, as before. Before receiving their 
inputs they synchronize clocks and choose times t\ < t 2 < £3 < £4 < £5 such 
that £1 is after they receive their inputs and £5 is before they require the 
outputs (we may arrange it so that the time elapsed is too short to allow 
signalling by moving Alice and Bob far enough away from each other.) They 
also share the state 4g ( 1 00) + k |H}). 

Alice does the following: 

1. Receive input a. 

2. If a = then apply operation R{ at time £1. 

3. If a = 1 then apply operation Ri at time £3. 

4. At time £5 measure in the basis |+) / \—) and output the result as x. 
Meanwhile, Bob does the following: 

1. Receive input b. 

2. If b = then apply operation Rj at time £4. 

3. If b = 1 then apply operation Rj at time £2. 
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4. At time t 5 measure in the basis |+) / 1— ) and output the result as y. 



The protocol is depicted in figure 2.4 



Roughly what is happening here is that Alice applies her operation before 
Bob in all cases except when both of their inputs are 1. Alice and Bob then 
detect this event using local measurements that are correlated except when 
Bob goes first, in which case they are anti-correlated. 

Consider the outputs that Alice and Bob generate. First note that the 
final state before measuring will be |00)± |11). If Alice and Bob both measure 
in the basis |+) / |— ) their outcomes will be the same if the relative phase 
was + and opposite if the relative phase was — . 

Suppose that Bob's input is 0. He will wait until before applying Rj. 
Regardless of her input, Alice will apply Ri before Bob applies Rj. Thus the 
combined effect on is a relative phase change of —k, taking the state to 
. Then Alice and Bob's measurements will agree and x © y = = ab. 

Meanwhile, if Bob's input is 1 the situation changes. If Alice receive the 
input then she applies Ri at time t±, Bob applies Rj at time t 2 and the 
situation is the same as above. However, if Alice receives the input 1 then 
she applies Ri at time £3, after Bob applies Rj at time £2- I n this case the 
effect on is a relative phase change of k, taking the state to {(/)-)■ In this 
case Alice and Bob's measurements will disagree and x © y — 1 = ab. 



Communication complexity and information causality 

We now briefly consider communication complexity. Suppose two parties, 
Alice and Bob, receive two inputs, a and b. They wish to compute the value 
of some function f(a,b). How much communication is necessary between 
Alice and Bob? (for simplicity, we suppose that Alice receives the final an- 
swer.) Here we are interested in boolean functions, whose output is a single 
classical bit. It has been shown by van Dam |vD05] that the communication 
complexity of all Boolean functions is trivial if non-local boxes are available. 
This means that Bob needs to send only one bit of information to Alice, and 
Alice does not have to send anything to Bob. However, there exist Boolean 
functions, such as the inner product between two strings, for which the com- 
munication complexity in either a classical or quantum setting is maximal 
(i.e. the optimal strategy is for Bob to transmit his entire input to Alice) 
[BB L + 06] . Coupled with the current result we find that within quaternionic 
quantum mechanics the communication complexity of all boolean functions 
is trivial. 
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Figure 2.4: Quaternionic non-local box 



Later Brassard et al. |BBL + 06] turn van Dam's result around, saying that 
if there is a non-trivial bound on the communication complexity of boolean 
functions, then non-local boxes do not exist. They also made this result 
robust by introducing a notion of probabilistic communication complexity 
and showing that if a non-local box can be approximated with probability 
better than w .906 then every boolean function has trivial probabilistic com- 
munication complexity. Linden et al |LPSW07] finally showed that for a 
particular boolean function (AND of two 2-bit strings) if a non-local box can 
be approximated with probability better than cos 2 7r/8 (the quantum upper 
bound) then no communication is required and the function can be approx- 
imated better than the classical (and quantum) bound of 0.75. Turning 
this result around, if the communication complexity of AND of 2-bit strings 
is non-trivial, then the non-local box cannot be approximated any better 
than what is achievable by quantum mechanics. In particular, if there is a 
non-trivial bound on communication complexity then quaternionic quantum 
mechanics is not a viable theory. 

Following this work, Pawlowski et al. [P PK + 09~] developed the notion of 
information causality which can be seen as a generalization of no-signalling. 
Both classical and quantum theories obey information causality. Pawlowski 
et al. were able to show that any physical theory which obeys information 
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causality also obeys the Cirel'son bound |Cir80] . Thus this is another way of 
excluding quaternionic quantum mechanics as a viable physical theory. 
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Chapter 3 
Self-testing 
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3.1 Introduction 

Self-testing is a solution to the follow problem: perform a quantum calcu- 
lation using only untrusted quantum devices and be sure that the result is 
correct. For many tasks, such as factoring, this may be trivial since the re- 
sult can be checked quickly using only classical computation. However, it is 
not known whether all problems efficiently solvable by a quantum computer 
can be checked in this fashion (i.e. it is not known whether BQP C NP). 
Thus there are potentially problems for which a classical check is inefficient. 
In this chapter we present and extend the main self-testing concepts and 
constructions, as developed in |MY04] and |MMMU06j . 

3.2 Literature review 

Self-testing was introduced by Mayers and Yao in |MY98j . The initial ap- 
plication was to quantum key distribution. In prepare and measure QKD 
protocols, it is important that the photon source used does not contain side 
channels that leak information on the basis choices, although this may be 
difficult to establish for particular physical implementations. Mayers and 
Yao proposed to solve this problem by using a self-checking photon source. 
The idea is that the manufacturer who provides the photon source would also 
provide several measurement devices. The devices would measure the signal 
from the photon source and generate some statistics. Checking the classical 
statistics, the participants in the QKD protocol could then verify that the 
photon source is operating correctly before continuing the protocol. 

An important consideration in this work is that the photon source is 
implemented as a source of EPR pairs. One qubit from the EPR pair is 
measured, and the other is sent out cLS cL SI eiial. The self-check consists of 
establishing that the initial state is indeed an EPR pair, in which case the 
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signal does not contain any information about the basis choice since this 
is only made on the other photon in the pair. This reliance on EPR pairs 
is a feature that is present throughout the remaining self-testing literature. 
Another important feature is that the dimension of the Hilbert space of 
the source is not known beforehand, allowing the result to be applicable in 
situations where almost nothing is known about the physical implementation 
of the devices. 

Mayers and Yao improved their result in |MY04] . In particular, they 



broadened the scope of their self-test to a generic setting of a source of EPR 
pairs and two sets of measurements (one for each half of the state.) Again 
the result shows that the source produces EPR pairs, but in addition the 
measurements are also characterized. This is remarkable since they begin 
without any trusted apparatus, and end up with both a characterized source 
and measurement devices. 

In a parallel development, van Dam et al. [yMMSOO] investigated self- 
testing in the context of quantum circuits. In particular, they developed a 
series of tests in which a verifier interacts classically with a quantum appara- 
tus by preparing states and measuring in the computational basis and estab- 
lishes that a gate is operating correctly. (The gate comes with an attached 
specification.) This work extends self-testing in to the realm of general com- 
puting, but relies on some important assumptions. In particular, the Hilbert 
space of the state is assumed to be known and the devices are used several 
times with the assumption that it operates identically each time. Also, the 
computational state preparation and measurement is trusted, and finally the 
self-tests are only applicable to a particular set of gates (which is sufficient 
for universal computation.) 

The two lines of research were merged in [MMMO06J by Magniez et al.. 
There, the reliance on a particular Hilbert space and trusted computational 
bases preparation and measurement is removed. This is done by preparing 
states in a variety of bases; EPR pairs are prepared and one half is measured 
in three different bases. This initial step is self-tested using the Mayers- 
Yao result. As well, the Mayers- Yao result is invoked to characterize the 
measurement devices. Once these two steps are accomplished, the gate is 
the only remaining untrusted element, and it may be tested using the now 
trusted state preparation and measurement. Besides introducing the circuit 
test, Magniez et al. improved the Mayers- Yao result by making it robust, 
allowing their circuit test to be robust as well. 
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3.3 Definitions and main Theorems 



3.3.1 Self-testing concepts 

The context for self-testing includes a verifier and several black-box quantum 
devices. Ideally, no assumptions are made about the devices that cannot be 
verified in some way. For example, we wish not to make any assumptions 
about the Hilbert space that states live in and gates operate on. 

The verifier interacts with the quantum devices in three ways. First, the 
verifier arranges the quantum devices into a circuit by connecting quantum 
inputs and outputs of various devices. Second, the verifier provides classical 
inputs (measurement settings) to the devices. Finally, the verifier obtains 
classical outputs from the devices (outcomes) . Importantly, we assume that 
no signalling occurs between devices that are not explicitly connected in the 
topology, and if there is some physical channel then this cannot be used to 
communicate backwards. 

Assumption 3.1. No communication occurs between quantum devices that 
are not explicitly connected. Further, quantum communication from the out- 
put of one device to the input of another device is one-way. 

There are two pieces of information about an experiment available to the 
verifier. First, the topology is known, since the verifier is responsible for it. 
Second, the verifier may estimate the statistics generated by the experiment, 
provided the experiment behaves the same each time it is used. 

Assumption 3.2. The quantum devices behave the same each time they are 
used. 

The statistics will allow the verifier to determine if the physical experi- 
ment simulates the reference experiment. In the case that it does not, we 
offer no conclusions. If it does, however, then we can make some non-trivial 
conclusions about the structure of the physical experiment, which will be the 
subject of this chapter. 

3.3.2 Equivalence 

For general reference experiments, if the verifier is able to calculate the statis- 
tics generated in order to compare with a physical experiment, then there is 
little value in performing the physical experiment; the verifier may do the 
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calculation themselves. The strength of self-testing is in choosing experi- 
ments for which the statistics are easy to calculate - many such experiments 
are performed, each one adding more gates - and combining the conclusions 
gained from each experiment to conclude that the final experiment simulates 
the desired reference experiment. 

In order to combine results about individual experiments and make the 
final conclusion, we need a notion stronger than simulation. Consider the 
case of factoring. A physical experiment that outputs the factors of a large 
number may perform the calculation in any number of ways, from Shor's 
algorithm to brute force search. All of these methods simulate each other, 
but clearly they are different in important ways. For this reason we introduce 
the concept of equivalence. We intend to capture the idea that, to the greatest 
extent we can possibly conclude, the physical experiment is the same as the 
reference experiment. 

When defining a notion of equivalence in this setting we must first con- 
sider how me might change the reference experiment in a way that preserves 
the statistics of the outcomes. Any such change is invisible from the perspec- 
tive of the verifier and hence we cannot rule them out. Here is a list of such 
changes 

1. Local changes of basis 

2. Adding ancillae to physical systems, prepared in any joint state 

3. Changing the action of the observables outside the support of the state 

4. Locally embedding the state and operators in a larger (or smaller) 
Hilbert space 

In order to accommodate these various changes we define equivalence as 
follows: 

Definition 3.1. A reference experiment is described by a n-partite state \ip) 
on Hilbert space X = X\ ® . . . X n and local measurement observables (acting 
on a single part) M m for various m. Further, consider a physical experiment 
described by a n-partite state \ip') on Hilbert space y = <8> • • • <8> y n and 
local measurement observables M' m for various m. We say that the physi- 
cal experiment is equivalent to the reference experiment (and the physical 
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state and measurement observables are equivalent to the reference state and 
measurement observables) if there exists a local isometry 



(3.1) 



$(|^}) 



\junk) y (g)M m \tfj) 



x ■ 



(3.2) 
(3.3) 



When we are performing gate testing, we will be concerned with several 
experiments, and several equivalences at once. The particular isometries and 
junk state \junk) y used will be important. In this case we will specify them. 

The isometry $ may be constructed by attaching ancillae in some product 
state 1 00 . . .0)^. and applying local unitaries to the subsystems. Note that 
if we make any finite number of changes from the list above then we may 
construct a suitable local isometry and show that the experiment is equivalent 
to the reference experiment. Also, any experiment that is equivalent to 
the reference experiment may be constructed by applying changes from the 
list above: one simply attaches ancillae in the state \junk) and performs a 
suitable change of basis. Equivalence is thus exactly the notion we need to 
take these changes into account. 

3.3.3 Results and contributions 

The central idea behind self-testing is that, for certain carefully chosen ex- 
periments, simulation implies equivalence. Furthermore, experiments may be 
grouped together to strengthen the conclusions. This allows us to construct 
self-tests for 

• EPR pairs along with a particular set of measurements 

• Real unitaries on single qubits and CTRL-Z gates 

• Arbitrary circuits composed of the above gates 

These results are already present in [MY04J and [MMMO06J, however we 
make several contributions: 

• Streamlined definitions and notation 
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• New (and often simplified) proofs for all results 

• Corrected proofs for certain technical lemmas 

• Explanation of the restriction to real unitaries 

We also extend the definition of equivalence, taking into account the results 
of chapter |2j and extend the Mayers and Yao test for EPR pairs to include 
complex measurements. This lays the foundation for self-testing of complex 
gates. 

The extended Mayers and Yao test is to be published in [M Marj . 



3.4 State and measurement testing 

The backbone of self-testing is in testing states and measurements. Since we 
cannot test these individually without relying on some trusted apparatus, 
we test them simultaneously. The test that we use here was developed by 
Mayers and Yao |MY04| . 

Theorem 3.1 (Mayers and Yao |MY04] ) . Suppose a physical experiment has 
the same topology and generates the same statistics as the reference experi- 



ment described in section \3.4-l\ Then the physical experiment is equivalent 
to the reference experiment. 



3.4.1 State and measurement self-test reference exper- 
iment 

A general schematic for the Mayers- Yao reference experiment is shown in 



figure 3.1 A bipartite state is distributed to a pair of measurement 
devices. The two measurement devices take classical inputs a and b, which 
each take one of three values. The devices then output classical bits, x and 

y- 

The reference state is an EPR pair = j= (|00) + |11)) and the refer- 
ence measurement observables are X, Z, for each side of the EPR pair. 

For brevity we label = D. For physical devices we will have to derive 
this relationship, so there the separate label D is required. 
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Figure 3.1: Mayers- Yao self-test circuit 

3.4.2 Proof of Theorem l3?T 
Proof Overview 

The main advantages of the following new proof for the Mayers- Yao self-test 
is that it is shorter, clearer, and more naturally extends to the more general 
test given in this paper. 

The proof has two distinct parts. The first part establishes some equations 
on the state and observables based on the observed statistics. These are 
straightforward and are a direct result of the statistics observed. Next we 
use these equations to show that the X and Z observables on each side 
anti-commute on the support of the state. The second part uses the anti- 
commuting observables to construct local isometries that take the state and 
observables to the reference state and observables. 

Statistics 

In the reference experiment the marginals for each observable are all 0. That 
is, 

(<f>+\ M ® I \</>+) = 

for M G {X, Z, D}. (Swapping the systems in this and the following equa- 
tions gives the same result since \<p + ) is symmetric.) Measuring the same 
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observable on both sides always give identical outcomes. Thus 

(0 + |M® M|0 + ) = 1. 
Additionally, X and Z measurements are uncorrelated. 

X® Z\<j> + ) = 0. 

The interesting part comes when we measure X or Z on one side and D on 
the other. 

X <g> D |0+) = (0+| Z®D |0+) = -J= 

State equalities 

Using the equations on the measurement outcomes from above and the fact 
that |V) is normalized gives us the following equations. 
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We can also establish some orthogonality relationships between various 
vectors. In particular the vectors |V) , X A <S> I , Z A <S> I |V) > X a Za ® I |V) 
are pairwise orthogonal. 

Our goal for the remainder of the proof is to show that any state for which 
these equations hold must be equivalent to |0+). 
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Anti-commuting observables 

We now move to more salient matters. First, we note that Da <8> I \tp) must 
be in the space spanned by Xa ® I \ip) and Za <S> I because it has overlap 
^= with each of these orthogonal vectors, and it has norm 1. Thus 

D A ®I\$) = XA + r ZA ® I \ip) 
v 2 

and analogously for I ® Db \ip)- This allows us to make the following deduc- 
tions. 



D A ® D B |V) 

l -{X A + Z A )®{X B + Z B )\i 
+ (X A ®Z b + Z a ® X b ) 



Applying equations |3.7| and |3.8| we obtain 

(X A Z A + Z A X A ) <g 



0. 



(3.14) 



By Lemma 3.1, below, it follows that Xa and Za anti-commute on the sup- 
port of on A. Similarly, the observables X B and Z B anti-commute on 
support of \ip) on B. 



Lemma 3.1. Let Xa and Za be operators and \4>) AB a bipartite state such 
that 

X A Z A ® I B \4>)ab = -ZaX a ® I B H)ab ■ 
then XaZa \<j>) = —ZaXa \<f>) for any \<p) in the support of 



(3.15) 



i AB 



on A. 



Proof. Let 



1 B 



(3.16) 



\^) = Y, X ^) A \3)i 

j 

be the singular value decomposition of \ip). We then have 

X A Z A ®IbJ2 X i \3)a \3)b = - Z aXa ® I B ^2 ^ \j) A \j) B . (3.17) 
j j 

We now take the inner product with \k) A \k) B for some k, to obtain 

X k (k\ A X A Z A \k) A = -X k (k\ A X A Z A \k) A . (3.18) 
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Z B 



















Figure 3.2: Circuit for $ showing equivalence of physical circuit to reference 
circuit in Mayers- Yao test 

When we restrict to the subspace to the subspace spanned by the \k) A for 
which Afc 7^ (i.e. on the support of on A) we find that XaZa = —ZaXa- 

□ 



Construction of the local isometry 

Now we can easily build the local unitaries required to extract the EPR pair. 



We use the circuit shown in figure 3.2 There the outer |0) states are added 
while the two inner wires carry the two halves of the bipartite state 
This circuit essentially builds a SWAP gate out of two CNOT gates (the 
usual third gate is not necessary since we initialize with |0).) The SWAP 
gate extracts the entanglement out of \ip) and swaps in a product state. 

The circuit gives two isometries, one for each wire in EPR test circuit, 
which we denote $^ and $_b- 
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Isometry applied to state 

After applying this circuit the resulting state is 

$4®<MIV)) = \{i + z A )®{i + z B )\i,)\m) 

+ ^(I + Z A )®X B (I-Z B )\il;)\01) 
+ 1 -X A {I-Z A )®{I + Z B )\^)\1Q) 
+ - A X A (I-Z A )®X B (I-Z B )\i;)\ll). 



Applying some equations and the anti-commuting result from the previous 
section we find that this is equal to 

§a ® *b{W)) = l -{i + z A )®{i + Z B ) |V) (|00) + |11)) + 

(/ + Z A )(I - Z A ) ® X B |V) |01) + X A ® (/ + Z fl )(/ - Z B ) IV) 1 10) 

= -^(J®/ + J®Z B )|V>|0+>- (3-19) 

This may look curious since I + Z A and / + Z B are not unitary. In fact it 
is easy to show that the final state still has the correct norm. To give some 
intuition, note that in the reference case we want to extract \<fi+) and swap 
in|OO) = ^(/ + Z)®(/ + Z)|0 + ). 

Isometry and measurement operators 

We start with X A (the result for X B follows analogously). Applying X A to 
|V) before applying the circuit is the same as applying it at the end, with a — 1 
phase introduced by anti-commuting past the controlled Z A operation (recall 



from section 3.4.2 that X A and Z A anti-commute on the relevant subspace). 
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The resulting state is 

$ A <g> $ B {X A ® J B IV-)) = |X A (/-^i)®(/ + ^fl)|V)|00) 

+ + (J + Zb)|V}|10) 

+ j(/ + Z a )®Xb(J-^b)|^)|11)- 



Following the same logic as used in the state equivalence, we find that the 
final state is 

$ A <g> $b(X a <8) / = ® / + / <g> Zb) (X g> /) |0+) . 

v2 

For the Z4 operation, we see that the effect is a —1 phase kicked back 
through the final controlled Xa operation. This phase appears on the terms 
with 1 1) in the qubit, exactly as if a Z operation had been applied to the qubit. 
The equivalence for the D operators results from the fact that D = on 
the relevant subspace, and linearity. 



This concludes the proof of Theorem 3.1 . 



3.5 Gate self-test 
3.5.1 Main result 

Unlike state and measurement testing, gate testing will require three differ- 
ent experiments. The first two are state and measurement tests, and the last 
verifies the operation of the gate. We wish to test a gate T e U (X) with 
the restriction that T have all real matrix entries. For our purposes we will 
consider X = I-L2 with T any real unitary, and X = with T = CTRL-Z. 
Note that this set of gates is sufficient to simulate universal quantum com- 



putation using the real simulation given in section 2.4 The reference state 
|0) will either be an EPR pair, |0+), or a pair of EPR pairs. Measurements 
M a and Nt, will be the tensor products of the real operators {/, X, Z, ^f}- 
The experiments are as follows: First we test the state |0) and the mea- 



surements, as in figure 3.3 (experiment 1). This establishes that the state 
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Figure 3.3: EPR test 













T 







\1>) 













T 







Figure 3.4: EPR test after gates applied 



is correct, and that the measurements applied directly to the state are also 



correct. Next we apply T <g> T to \(f>) and then measure, as in figure 3.4 



which tests whether the measurements are still operating correctly after the 
gate is applied (experiment 2). (Note that for T real and our chosen state, 



T ®T \ 4>) = |0).) Finally, we apply T®I to |0) and measure, as in figure 3.5 
(experiment 3). 

We can think of the final test in the following way: Measuring the B side 
of the maximally entangled state is equivalent to preparing a state on the 
A side. Critically, there is no information about the basis A side. We then 
apply the gate to this prepared state and measure afterwards in a variety 
of bases to establish that the gate is working. Also, since there is no way 
to distinguish the second and third tests from the A side alone, either the 
measurement is working correctly or will be detected as faulty. 

Recall Assumption 3^2, that the devices always operate the same. Also, 
we assume that there is one way communication along the quantum channels 
and no side channels. Thus the devices cannot determine which experiment 
is being performed. The B side measurements devices cannot distinguish 
between experiments 1 and 3, and so the B side measurements on experiment 
3 are implicitly tested by experiment 1. Likewise, the A side measurement 
devices cannot distinguish between experiments 2 and 3, and so are implicitly 
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Figure 3.5: Testing a gate 



verified by experiment 2 to be working correctly in experiment 3. 

One potential concern is the fact that a physical device may hold the 
state in memory rather than receiving it from the source device. In fact 
this is not a concern. If this were the case, then we simply take \vp) to be 
the state held in memory across all devices. There remains the possibility 
that the maximally entangled pairs found in experiment 1 and 2 are not the 
same pairs. However, they must in fact be the same pair since the statistics 
generated by experiment 3 are only possible for a maximally entangled state, 
with one measurement the same as in experiment 1 and the other the same 
as in experiment 2. The net result is that we do not have to concern ourselves 
with this possibility since the Theorem takes care of this case as well. 

Theorem 3.2. Suppose that a collection of physical devices are arranged into 
three physical experiments: 

• (experiment 1) \ip) with measurements M' a <g> N' b 

• (experiment 2) G ® H' \ip) with measurements M" ® N' b ' 

• (experiment 3) G' <8> Iy \ip) with measurements M" <g> N' b . 

Further suppose that each physical experiment simulates the corresponding 
reference experiment described above. Then there exist unitaries Ua, Ub, Va, Vb 
and state \junk)y such that 

• physical experiment 1 is equivalent to reference experiment 1 with uni- 
taries Ua® Ub 

• physical experiment 2 is equivalent to reference experiment 2 with uni- 
taries Va <S> Vb 
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• physical experiment 3 is equivalent to reference experiment 3 with uni- 
taries Va®Ub 

with junk state \junk)y in each case. Moreover, 

V A G' ® I X U\ = I y ®T (3.20) 
on the support of \junk)y 2 on 3^4- 

The theorem compares the reference gate T with the physical gate G, and 
establishes, roughly, that if G simulates T then it is equivalent to T. 

3.5.2 Technical background for proof 
Choi-Jamiolkowski representation 

We first define the Choi-Jamiolkowski representation of a linear map on op- 
erators |Jam72j |Cho75] and discuss its properties. We define it as follows 

Definition 3.2. Let $ : L(X) — > L(Y) be a linear operator. Then the Choi- 
Jamiolkowski representation of $ is given by the operator 

j^) = J2H\x)(y\)®\x)(y\ 

x,y 

operating on the space L(Y) <8> L(X) 
An equivalent definition is 

J($) = $ g) I L(X) j \xx){x'x'\ \ . 

\x,x' / 

Thus «/($) can be found by applying $ to one half of a maximally entangled 
state on X <g> X, finding the density matrix, and multiplying by a suitable 
scaling factor (the dimension of X). 

We will use the following properties of J( ( &). 

Theorem 3.3. Let $ : L(X) -»■ L(Y) and J($) be given. Then 

• $ is completely positive if and only if J($) is positive semi- definite. 

• $ is trace preserving if and only if TryJ($) = Ix- 
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• $ is unitary if and only if </($) is rank 1 and the above two conditions 
hold. 

For more details and rigorous proofs, see Watrous' lecture notes |Wat08a] . 
We do not give a formal proof here, but instead offer some intuition. If we 
interpret </(<&) as the output from the completely positive map $ <g) I, then it 
should be PSD whenever the input is. For the second property, we start with 
a maximally entangled state, so tracing out one side should leave us with the 
completely mixed state. For the last property, we are inputing a pure state, 
so the output should be pure if the map is unitary. The converses of these 
statements are, of course, more difficult and we leave out the proofs. 



Technical Lemmas 

The following Lemma is a restriction of Lemma 5 appearing in |MM MO06j , 
arXiv version. The proof given by Magniez et al. contains an error, since 
real density matrices in general are not in the span of the tensor products of 
{I, X, Z}. As a concrete example, |0+ )(</>+ 1 contains Y <S)Y, a real matrix, in 
its decomposition into Paulis. Here we give correct proofs for the case of two 
qubits, the case of four qubits with T = CTRL-Z, and the case of a tensor 
product of such gates on any number of qubits. The proof for the second 
case could be adapted to work with other two qubit Clifford gates as well. 

Lemma 3.2. Let a = \ip){ip\ be a two qubit state with = T <g> 1 1$+) and 
T a unitary having real coefficients. Further, suppose that 

Tr(pM <g> N) = Tr{oM <g> N) (3.21) 

for M, N E {I, X, Z}. Then p = a . 

Proof. We first fix some notation. Let U and V be 2-qubit Pauli operators. 
Let U • V be defined by 

U-V = l 1 ^ andycommute ( 3. 22) 
1—1 U and V anti-commute. 

Also, for density operator p (and analogously for a and other density opera- 
tors) define pu by 

Pu = Tr(pU) (3.23) 
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and analogously for other density operators. Note that \pu\ < 1. 

We will make use of the following observations about a, which can be 
easily verified from the fact that T is unitary and real. For M and N Pauli 
operators we find 

• a M(g,N = ^ 
M,NeI,X,Y,Z 

• o~y®m = o"M®y = when M/Y 

• |o"y®y| = 1 

• cr M ®/ = (T/ 8 m = for all M ^ I. 

Since a and p are positive semi-definite, we have 

Tr (pUarf) > 

for any unitary U. We may write this, using the notation above, as 

£ PP<x P (f/-p)>o. 

Pe{/,x,yz}® 2 

With the choice U = Y <g> / we find 

1 — Pm®n&m®n + Py®yO"y®y = — 1 + py®y°Y(g>y > 0. 

M,iVe{X,Z} 

This is obtained by removing terms and noting that YIm n<={x z} a M®N = 2- 
The implication is that <Jy®y = Py®y and hence (Jm®n = Pm®n whenever 
0-Mcg.Ar is not 0. 

Let S be the set of Pauli operators M eg) iV for which o m®n ^ 0. Then, 
since <Jm®n = Pm®n for all M <8> iV e 5 we have 



Tr (p 2 ) = 1 + i E 



4 

since p has trace 1. This immediately implies that Pm®jv = for M ® N £ S 
and hence Pm®n = &m®n for all M ® N . Recall that the 2- fold tensor 
products of the Pauli operators form a basis for the space of 2-qubit states. 
Thus p = a. □ 
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Lemma 3.3. Let a = 



be a four qubit state with 



\1>) = CTRL-Z ® I B I 1 - \ x )a\x)b) 

\ *G{0,1} 2 / 



(3.24) 



Further, suppose that 

Tr(pM <g> N) = Tr(aM <g> N) 
for M,N e {I,X,Z}. Thenp = a. 



(3.25) 



Proof. The proof follows the same plan as for the two qubit version. To 
begin, we examine the effect of CTRL-Z on the two qubit Paulis. Define 
C(P) to be CTRL-Z (P) CTRL-Z for two qubit Pauli P. This is summarized 
in the following table: 



c(0 


I 


X 


Y 


Z 


i 


II 


ZX 


ZY 


IZ 


X 


XZ 


YY 


YX 


XI 


Y 


YZ 


XY 


XX 


YI 


Z 


ZI 


IX 


IY 


ZZ 



(3.26) 



(It may benefit the reader to note that the table is symmetric and C(-) is its 
own inverse, since CTRL-Z has these properties.) The state \ XLe{o i} 2 \ x ) a \ x ) bi 
written as a density operator, is 



1 

16 



E (-D 

M,Ne{I,X,Y,Z} 



Sm,y+$n,y 



J ' Y (M ® N)a <S> (M ® N) 



B- 



(3.27) 



Note the coefficient, which is —1 when exactly one of M and N is Y. We 
find that a is given by 



1 

16 



(-1) Sm > y+Sn ' y C(M®N) a ®(M®N) b (3.28) 



M,Ne{I,X,Y,Z} 



and hence 



|C(M 



'®N') A ®(M®N) B | — 8m'®N>,C(M®N)- 



(3.29) 
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As for the two qubit case, we have 

Tr (pUarf) > 

for any unitary U. Dropping the zero terms and subbing in, we may write 

J- {-1) &M < Y+S ^ PC{ M®N) A ® { M®N) B > 0. 

Define 

R(M <S> N) = (-1) 5m ' y+5n ' y p C (M®N) A ®(Mm) B (3.30) 
in which case we find 

R( M ®N)(U- C(M ®N)®(M® iV)) > 0. (3.31) 

M,N 

We will prove that R(M®N) = 1, in which case we have P(m®n) a ®c(m®n) b = 
o~c(m®n) a ®{m®n) b - Note that this is given by the conditions of the Lemma in 
the cases where C(M ®N)®(M®N) is a tensor product of {I, X, Z}. This 
occurs hrM(g)Ne{I(g)I,I(g)X,X(g)I,Z(g)I,I(g)Z,Z(g)Z,X(g)Z,Z(g)X}. 

We find the inequalities with U = (Y®I) A , U = (I®Y) A , U = {Y®I) B , 
and U — (I <8>Y) B and sum them, dividing by 4. We obtain 

R(I ®Y) + R(Y ® I) + R(Y ®Z) + R(Z <g> Y) > 4. (3.32) 

Since all four values R values appearing cannot exceed 1, we find that they 
are all equal to 1. Next we find the inequality for U — (Z <g) Z) A . For the 
four remaining unknown R values we obtain 

R(X ® X) + R(Y ®Y) + R(X ®Y) + R(Y ® X) > 4 (3.33) 

and again all four R values must be 1. 

We now have (Jc{m®n) a ®(m®n) b = Pc(m®n) a ®(m®n) b - There are 16 such 
terms. By examining the trace of the squares of a and p, and following the 
same reasoning as in the two qubit case, we conclude that the remaining 
terms must all be 0. Thus a = p. 

□ 

Lemma 3.4. Let a = be a 2n qubit state with \ip) =T A ® Ib |$+) 0n 

and T a tensor product of gates that are either single qubit real unitaries or 
CTRL-Z . Further, suppose that 

Tr(pM (g) N) = Tr(aM ® N) (3.34) 

where M,N G {/, X, Z}® n are one of the following 
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• For a single qubit gate in the tensor product, M and N measure that 
qubit and its pair 

• For a two qubit gate in the tensor product, M and N measure those 
qubits and their pairs. 

Note that M or N may be the identity (measuring marginals). Then p = a. 

Note that the EPR pairs are each divided into A and B sides and T is 
applied to the n A side qubits. 

Proof. Divide up p and a into pairs or fours of qubits, depending on whether 
the gate is a single qubit gate or a CTRL-Z. For each piece trace out the 
remaining qubits and apply the appropriate two or four qubit version of the 
Lemma. Then, since the reduced qubit on each piece is pure, p and a are 
both the tensor product of the reduced qubits. □ 

Future work. Extend the previous Lemma to two-qubit Clifford gates, and 
ultimately all real gates. 

Like the previous Lemma, a similar Lemma to the following appears in 
[MMMO06J (arXiv version) as Lemma 6. Also like the previous Lemma, the 
proof given by M agniez et al. relies on the claim that the real density matrices 
are in the span of the tensor products of {/, X, Z}. We give a correct proof 
that uses the Choi-Jamiolkowski representation. The technique used will be 
applied several times in the remainder of this chapter. 

Lemma 3.5. Suppose that a physical experiment with bipartite state \ip) G y 2 
and with measurements M' a £g> N' b (Mq = Nq = Iy) is equivalent to the ref- 
erence experiment with a maximally entangled state \<f>) G X 2 and measure- 
ments M a <S> N b (M = N = I x ). Then there exist unitaries Ua,Ub G 
U(y <g> X) such that 

U A ® U B (M' a ® Ni) \iP) y \00) x = \junk) y2 M a <g> N b \<f>) x (3.35) 

and 

U A (M' a ® Ix) U\ = I y ® M a (3.36) 
when confined to the support of \junk) y2 on y A , and analogously for N' b . 
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Proof. Equation 3.35 follows directly from the definition of equivalence and 
a straightforward extension of the local isometry. From this fact we make 
the following observations: 

|V) |00) = (M' a ® IxtfU\ ® U B \junk) y2 M a ® 

£r fl 10)* • (3.37) 



Applying equation 3.35 with Mq and Nq, we find 



\]unk) y2 \4>) x = U A ® C/ B (M^ ® /y B ® J^a^E/i ® *4 |junfc)-y a T a <g> J* fl \<j>) x 

(3.38) 

and hence 

C/ A {M' a ® I*) C/t |jwifc> y2 |0)^ = \junk) y2 M a ® \(p) x . (3.39) 

We now introduce a technique which will be quite useful. Let $ be the 
quantum operation on X defined by adding ancilla in the state \junk)y 2 , 
applying U A {M' a ® Ix) U\ and finally tracing out the y 2 register. Note that 
the above equation has (after tracing out the y 2 register) left side equal 
to </($)/ dim(A') and the right side (after tracing out the y 2 register) is 
J {Mq) I dim (A*) (abusing notation a little). From this we may conclude 
that $ equates to simply applying T a and is hence unitary. The operator 
Ua {M' a ® lx)U\ must then have the form Wy ® M a (when restricted to the 
support of \junk)y 2 ) and since the 3^ register remains in the same state, we 
conclude that W is the identity. 

We apply the same reasoning and obtain the analogous result for N b . □ 

3.5.3 Proof of main Theorem 



We begin by applying Lemma 3.5 twice, to obtain 

U A ® U B M' a ® N' b |V) |00) = \junk) y2 M a ® N b \<f>) (3.40) 

U A {M' a <g> Iy)U\ = Iy® M a , U B {N' b ® Iy)U B = Iy ® N b (3.41) 
when confined to the support of \junk) y2 on the appropriate side, and 

V A ® V B Ml ® N£G' ® H' |V) |00) = \junk 2 ) y2 M a ® N b \<j>) (3.42) 
V A {M': ® Iy)V\ = Iy® M a , V B {N' b ' ® Iy)V B = Iy ® N b (3.43) 
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when confined to the support of \junk 2 )y 2 on the appropriate side. By virtue 
of these equations, we find that there must be local unitaries operating on 
3^4 and ys that take \junk2)y 2 to \ junk)y 2 . We may absorb these operations 
into Va® Vb and take \junk 2 )y 2 = \ junk)y 2 . Note that this does not disturb 



equation |3.43| since the redefinition of Va ® Vb amounts to conjugating the 
y 2 register on the right sides. Thus we find 

V A ® V B M'l ® N' h 'G' ® H' \if>) |00) = \junk) y2 M a ® N b \<j>) . (3.44) 

Now we consider the case when G' is applied and H' is not applied. We 
wish to see what this means if we convert to the reference experiment, so we 
consider the following state: 

\6) = (V A ® U B ) (C ® Iy ® I**) |^) |00) . (3.45) 

Applying our equations from above we find that this is equal to 

(V A ® U B ) (G' ® Iy ® I x2 ) (u\ ® U B ) \junk) y2 \<f>) (3.46) 

= (V A (G' ® I x )uty ® I B \junk) y2 |0) . (3.47) 

Define the quantum operation $ on X by attaching an ancilla in the state 
\junk)y 2 , applying (Va(G' ® Ix)U A j and tracing out the y 2 register. Then 

J(^) = dhn(^y<\0)(0\). 

We wish to characterize J($). To this end we note that di ^ x ^ Tr(M a ® iVj, J($)) 

(6\ I y2 ®M a ®N b \6). Note that 

V b (H'®I Xb )U b \6) = Va®V b G'®H'®I x2 \tP) |00) = \junk) y2 \<f>) x (3.48) 

and since this differs from \6) only on the B side, the support of \6) on y B 
is the same as the support of \junk)y 2 on y B - We obtain 

' -Tr(M a ® N b J($)) = (il>\ ((G / ) t ® Iy) (M" ® Nfi (G' ® Iy) \$) . 



dim(AT) 

(3.49) 

Since G' ® Iy\ip) with measurements M" ® N' b simulates T ® 1 10) with 
measurements M a ® N b we have 

Tr (J($)M a ® N b ) = Ti(J(T)M a ® N b ) . 
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Lemma 



3.2 



then implies J(<&) = J(T). From this we conclude that 



V a {G' ®I X )U\ = W ®T (3.50) 

for some W G U(y). Since W ®T preserves \junk)y 2 we must have W = Iy 
on the support of \junk)y 2 on 3^4- 

3.5.4 A conspiracy against self-testing complex gates 

The restriction to real gates in the reference experiments may seem a bit 
curious, but has an easy explanation. If the gate had complex entries, then 
there would be no way of distinguishing the reference experiment from an 
otherwise identical experiment that had the complex conjugate applied. That 
is to say, the complex conjugate of an experiment simulates it. However, 
the definition of equivalence requires the existence of a unitary operation 
that takes the physical experiment to the reference experiment, but complex 
conjugation is anti-unitary. Thus there can be no extension of the gate testing 
Theorem to complex gates with the current definition of equivalence. Real 
gates are acceptable because complex conjugation does not affect them. 

Complex conjugation does not pose very great a problem, since apply- 
ing the complex conjugate can be seen as a change in convention. Nothing 
changes in the structure of the experiment. However, the simulations de- 
scribed in chapter [2] introduce many new physical experiments that simulate 
the reference experiment, and none of them are equivalent to the reference ex- 
periment. Further, these simulations are defined on different Hilbert spaces 
from the reference experiment and hence something more complex than a 
change in convention is happening. In the case of real gates, however, the 
simulations all reduce to the reference experiment, allowing the gate testing 
Theorem to go through. 



Later, in section |3.7[ we introduce a new definition of equivalence that 
takes the simulations into account. We then extend the Mayers and Yao 
result to include complex measurements. This paves the way for a gate 
testing Theorem allowing complex gates. 
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Figure 3.6: EPR test after two gates applied 



3.6 Circuit testing 



3.6.1 Overview 

We now turn our attention to testing an entire circuit. We begin with a 
given circuit composed of single qubit real gates and CTRL-Z gates. We 
may divide this up into a sequence of unitaries operating on all qubits. Each 
of these unitaries is a tensor product of single qubit and CTRL-Z gates 



and thus is efficiently testable, as discussed in section |3.5| Each of these 
gates is tested against the reference gate determined by the given circuit. As 
explained below, this allows us to conclude that the entire physical circuit 
is equivalent to the reference circuit when both are considered as one large 
unitary. Finally, we perform the circuit by measuring on one side in the 
computational basis and performing the physical circuit on the other side, as 



shown in figure 3.8 



3.6.2 Composabiltiy 

In order to test a sequence of gates we perform gate tests after each gate is 
added. This is illustrated in figures [376] and [377] After each gate is tested, the 
gate is applied to the other half of the state, taking the state back to (a state 
equivalent to) the maximally entangled state \4>). This allows us to test the 
next gate in the sequence as though it were applied by itself. The following 
Lemma, applied inductively, allows us to conclude that the sequence of gates, 
applied together, is equivalent to the sequence of reference gates. 

Lemma 3.6. Suppose we have two sets of experiments satisfying the condi- 



tions of Theorem 3.2, the first testing G[ against unitaries T\ and the second 
testing G' 2 against T 2 such that experiment 1 of the first set coincides with 
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Figure 3.7: Testing a second gate 




Figure 3.8: Performing a self-testing circuit 



experiment 2 of the second set. The conclusions of the Theorem hold with 
G' 2 G' 1 tested against T 2 T X . 



Proof. From Lemma [375] and Theorem |3.2| we find unitaries Ua, Ub, Va, Vb, Wa, Wb 
such that 

U A (M' a <g> Iy)U\ =Iy® M a , U B (N' b ® I y )U B = Iy <g> N b (3.51) 

V A {M'l ® Iy)V\ = Iy® M a , V B {N' b ' ® Iy)V B = Iy ® N b (3.52) 

V A {M™ ® Iy)V\ = Iy® M a , V B {N' b " ® I y )V B = Iy®N b (3.53) 

V a {G' x ®I x )Ul = I®T 1 (3.54) 

W a (G' 2 ® J*) y a t = / ® T 2 (3.55) 

all for the support of \junk)y 2 on 3^4- Note that although we have used the 
gate testing Theorem twice, we can use the same junk state since experiment 
2 from the first use is the same as experiment 1 from the second usage of the 
Theorem. We also find 



U A ® U B M' a <g> N' b |V> |00) = \junk) y M a ® N b 



(3.56) 
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Applying these results we see that 



(W A ®U B ) (M"' ® N£) (G' 2 G[ <g> / y ) 
and 



|00) = \junk) y2 (M A <g> A B ) T 2 T x ®I_ 



x 



W a {G' 2 G' 1 ®I x )U A = I®T 2 T l . 



Thus the conclusions of Theorem 3.2 hold for the gate G^G'^ 



(3.57) 

(3.58) 

□ 



3.6.3 Testing on a particular input 

Since we usually do not want to perform a circuit on a random input, we 
need some control over what the input will be. The solution proposed in 
[MMMO06J is to measure one side of the EPR pairs in the computational 
basis and then use the results to place X gates as necessary on the other 
half of each pair to correct the result to the desired input. The X gates 
placed this way are then incorporated into the definition of the circuit to be 
tested. Note that for this solution to work the calculation must come first. 



With Assumption |3.2| in place this is not a problem, but if we hope to adopt 
less restrictive assumptions then this method could easily be defeated since 
the devices could easily subvert the calculation and perform correctly on the 
subsequent tests. 

Another solution to this problem assumes that the EPR pairs may be 
manipulated individually. Suppose we have n EPR pairs. Measure half of 
each EPR in the computational basis. If the result was the desired result, 
then keep the other half. If not, then discard the other half and prepare a 
new EPR pair. Repeat until n EPR pairs have been prepared. Since the 
EPR pairs are all prepared individually there is no problem with exponential 
blowup as n increases. A variation on this solution is to prepare N > n EPR 
pairs and use only those pairs for which the measurement gives the correct 
result. If N is made sufficiently large then success is expected with high 
probability. 



Blind state preparation 

Although conceived with the notion of circuit testing in mind, self-testing 
could find application in QKD or other security related areas. In this context 
the state preparation method used has some advantages. For example, by 
measuring half of an EPR pair to prepare a state on the other half there can 
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be no side channel information about the basis used. One may wish to choose 
a particular state, however, so corrections might need to be made. If one is 
not careful, the correction may reveal the basis. For example if the bases are 
chosen from the eigenbase of X and Z, then a Z or X correction, respectively, 
may be necessary and the correction depends on the basis. There are several 
possibilities for defusing the situation. The first is to use Y as a correction, 
but this is not currently self-testable. A second possibility would be to always 
apply one of Z or X. If the X eigenbasis were chosen and a correction is 
needed, then Z is applied, otherwise X is applied which does not affect the 
state. Other possibilities exist, but the main idea is always to choose an 
operation that may be a correction for one basis, or not affect the other 
basis. 



3.7 Extending the Mayers and Yao self- test 

The original Mayers and Yao EPR test provided only a small set of mea- 
surements. Conspicuously missing is anything with complex coefficients. An 
important consequence of this is that the circuit test is not able to test gates 
with complex coefficients; only gates with real coefficients can be tested. 

In fact the Mayers and Yao test cannot be directly extended to include 
any measurements with complex coefficients. This is a result of the notion of 
equivalence that they use. Suppose that we wish to include the Y measure- 
ment in the set of reference measurements. The devices could just as easily 
implement —Y, the complex conjugate. So long as all complex measurements 
were complex conjugated it would be impossible to tell. Although this does 
not present an immediate problem - such a transformation is internally con- 
sistent and produces the correct outcome statistics - we cannot transform 
such a circuit back into the reference circuit using unitary transformations. 
Anti-unitary transformations are required. 

If this were the whole story we could simply require that the physical 
circuit be transformable into either the reference circuit or its complex con- 
jugate. However, the real simulation, and now the family of simulations, 



defined in section 2.5 are also indistinguishable from the reference circuit 
and not unitarily transformable into the reference circuit. 

We have one encouraging fact: all of the known simulations are equiv- 
alent to a simulation from the family of simulations (or a classical mixture 
of them). We now prove that we can extend the Mayers- Yao experiments 
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such that these are the only simulations. Hence we may extend our no- 
tion of equivalence to include these simulations and obtain a new self-testing 
Theorem. 

Theorem 3.4. Suppose a physical experiment duplicates the statistics gener- 
ated by the reference experiment described in section \3.7.1\ Then the physical 
experiment is equivalent to one of the simulations of the reference experiment 
described in section [Ol 

With the extended state and measurement testing in place there exists 
the possibility of testing complex gates as well. 

Future work. Extend gate testing to complex gates using extended definition 
of equivalence. 

3.7.1 Extended Mayers- Yao self-test reference experi- 
ment 

The extended Mayers- Yao test will consist of three regular Mayers- Yao tests, 
performed together. Alice and Bob will perform the Mayers- Yao test with 
measurement settings (labelled with subscript A when used by Alice, and 
subscript B when used by Bob): 

1. X, Z, and D 

2. X, Y, and E 

3. Y, Z, and F 

In the reference experiment the measurement settings X, Y and Z are 
realized by the Pauli operators, with Yb = —Y and otherwise Xa = Xb = X, 
Ya = Y, Za = Z B = Z. The other settings are realized by D A = 
E A = ^f } F A = ^on Alice's side and D B = ™, E B = , F B = 
on Bob's side. Bob's Yb measurements all carry the —1 phase since measuring 
the state \<f> + ) with the operator Y <8> Y produces —1 instead of 1 as in the 
Mayers- Yao reference experiment. The reference state is again 
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3.7.2 Proof of Theorem 



3.4 



We start by assuming that the states are all pure as in the Mayers- Yao test. 
Again we may incorporate the purification of a mixed state into either Alice 
or Bob's state by adding an ancilla. 

First we apply the Mayers- Yao result with the measurements X, Z and 
D. We find that we may apply a suitable local isometry $ to take the Xa, 
Z A , X B and Z B measurements to X Qa <g> I Ra , Z Qb <g> I Ra , X Qb <g> I Rb and 
Zq b <S)I Rb where R A and R R are the junk registers. Meanwhile the state has 
the form \4>+)q a q b ® \ junk) RaRb , where Qa and Q R are the qubit registers 
that the measurements act on. 

We now consider the remaining measurements. The reference circuits for 
these measurements can be transformed using local unitaries into the usual 
Mayers- Yao reference circuit. Thus we may apply the result. However, we 
stop short of using the full result. In section [3.4.2 we note that the measure- 



ment observables Xa and Za anti-commute on the support of the state, as 
do X R and Zb- When we apply this result to the remaining measurements 
in the extended test, we find that Xa and Ya anti-commute on the support 
of the state, as do Xb and Y B , Za and Ya and Zb and Yb- For the remaining 
discussion we will limit ourselves to the support of the state. 

Consider the A side measurements first. We may express Ya as 

p,k 

where the Ps are Pauli operators and the EkS are other operators (i.e. pick 
a basis for Hermitian matrices consisting of Pauli matrices tensor product 
with something else). Since Y A anti-commutes with Xq a <g> I Ra all the terms 
with P = X must be 0. Indeed, since —Ya = (Xq a <g> I Ra )Ya(Xq a <g> I Ra ) we 
have 

- yP,k P Q A ® E k,R A = VP,kPQ A <8> E k>RA - Y VP^Pqa ® E k,R A 

P,k Pe{I,X},k Pe{Y,Z},k 

where on the right hand side we have separated out the terms that commute 
with Xq a eg) I Ra and those that anti-commute. We see that we must have 
Vx,k = -Vx,k = and y I>k = -y I>k = for all k. 

Applying similar reasoning and the test with Y and Z we find that yz,k = 
for all k. Thus Ya = Yq a <g> M Ra for some Hermitian and unitary M Ra . 
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We consider the two eigenspaces of M Pa . If they are not the same dimension 
(or if there is only one eigenvalue), we may construct an isomorphism that 
adds extra dimensions to Ra and extend M Pa onto the new dimensions 
so that both eigenspaces have the same dimension. Next we construct an 
isomorphism that maps the space to a tensor product between a qubit and 
a space with half the dimension of Ra- We construct it so that the +1 
eigenspace gets mapped to the subspace spanned by states of the form |0) \x) 
and the -1 eigenspace gets mapped to the subspace spanned by |1) \x)- Then 
Mr a gets mapped to Z ® I. Let Pa be the qubit register, and R' A the 
remaining register. We obtain 

Y A h+ Y Qa ® Z Pa ® I K (3.59) 

under the isomorphism described above. Importantly this isomorphism does 
not disturb Xa or Za since it only operates on the junk register. Thus 



we may modify $ obtained from Theorem 3.1 to additionally perform the 
isomorphism just described. 

The above process can be repeated for Bob's side, with analogous con- 
clusions. In order to be consistent with the reference experiment, we may 
construct our isomorphism so that Yb m- — Yq b ® Zp B ® I r > b . 

Now we turn our attention to the state. From the Mayers- Yao test on X 
and Z we know that the state on Qa <8> Qb (after applying $) is | </>+). We 
next consider the state on the remaining registers, which we denote \9). We 
may express this in the singular value decomposition, split between Pab and 

\8) = Y,^\j) PAB \j) R ' (3-60) 



R'ab 



22 "3 U/P AB ir; 

3 



with Xj > 0. Since the Y measurement setting gives correlated results (recall 
we introduced a -1 factor on the B side measurement observable) and the form 
of Ya and Y B , the states \j) P . must all be +1 eigenvectors of Z Pa ® Z Pb . 
If this were not the case then a —1 phase would be introduced and the 
measurement results would be incorrect at least some of the time. Thus the 
only possible states for \j) P are superpositions of 1 00) and |11). We do 
some relabelling and arrive at 

M = \4>+)q*» ® { a \°°)p AB \ 9 oo)r' ab + P \ 11 )p ab \^)r' ab ) ( 3 - 61 ) 
with \6qq) and \6u) not necessarily orthogonal. Note that tracing out the 



R'ab ancillae results in a state of the form in equation 2.4 Thus we have 
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demonstrated that the physical experiment is equivalent to the reference 
experiment, and completed the proof of Theorem 3.4 



3.8 Robustness and assumptions for imple- 
mentations 

The results in this chapter are concerned with probability distributions which 
exactly match. However, if there is any hope for a physical implementation 
then this requirement must be relaxed and the Theorems made robust. Ro- 
bustness was established for the Mayers and Yao test, as well as the gate 
test in [MMMO06J. These robustness results show that error in the statistics 
translates to a polynomial sized error in the equivalence. This is measured 
in terms of the 2-norm on states and the operator norm on gates. These are 
not the preferred measures of error since they do not have a straightforward 
operational interpretation. 

Future work. Determine robustness of the tests using operationally mean- 
ingful measures such as the trace norm on states and diamond norm on 
operations. 

Another consideration is that the robustness results relied on technical 
Lemmas with incorrect proofs. Also, the robustness of the extended Mayers 
and Yao test has yet to be determined. 



Future work. Determine robustness of Lemmas \3.2\ \373[ \3.4\ \ 37b\ and The 
oremlS~4\ 



Another important consideration for potential physical implementations 
is the assumptions necessary to gather statistics. Here the physical experi- 
ment defines a probability distribution on outcomes, but in order to estimate 
this probability distribution many trials must be made. For this to make 
sense, we must make some repeatability assumptions: 

Assumption 3.3. The physical devices have no memory and always operate 
identically and the state for each trial is unentangled with other trials. 

This allows us to take many samples from a single physical experiment 
and estimate the probability distribution. In some situations this assumption 
may not be reasonable. One potential means of relaxing this assumption 
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would be to use techniques from QKD proofs, such as the quantum de Finetti 
Theorem, to allow arbitrary states. 

Future work. Relax assumptions on state and devices. 

3.9 Authenticated quantum computing 

A recent development with goals very similar to self-testing is blind quan- 
tum computing, introduced by Broadbent et al. in [BFK08j . We are specifi- 
cally interested in authenticated quantum computing, which is an extension 
of blind quantum computing. Authenticated quantum computing involves 
a semi-quantum verifier (able to only prepare qubits in a finite number of 
states) and a quantum prover. Using measurement based quantum com- 
puting [ RBOlj and fault-tolerant quantum computing techniques the verifier 
sends the prover several qubits prepared in random states known only to 
the verifier and then interacts classically with the prover. The goal is for 
the verifier to have the prover perform a quantum circuit and be able to 
certify, through classical interaction only, that the correct circuit has been 
performed. An important side effect of the process is that the prover does 
not know what the circuit is, even at the end of the protocol (hence blind 
computing.) 

The goal is similar to that of self-testing, but the verifier requires some 
quantum capacity. In an extension of their result, the authors claim that 
the verifier can interact with two isolated provers (who are entangled) and 
eliminate the requirement for state preparation by the verifier. The idea is 
to begin with the two provers sharing a number of EPR pairs. The verifier 
first interacts with one prover, using the authenticated blind quantum com- 
puting protocol (without first sending qubits) to implement a circuit that 
simply measures half of each EPR pair in a randomly chosen bases, emu- 
lating the verifier's state preparation. Next, the verifier interacts with the 
second prover, again using the authenticated blind quantum computing pro- 
tocol, performing the desired circuit with the other half of each EPR pair. 
A similar result was shown by Aharonov et al. in [ABOE08J. 

The claim is that the verifier cannot distinguish between errors occurring 
in each prover, and so we can assume that all errors happen in the second 
prover. Then the authenticated blind quantum computing protocol used with 
the second prover will catch all errors. Hence a pair of cheating provers will 
be caught (with high probability). 
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From the perspective of black-box quantum computing we may identify 
two important problems with this argument. The first is that the argument 
is not sound. The simulations in Chapter [2] indicated that it is possible for 
the two provers to perform a conspiracy that produces the correct outcome 
statistics, but does not implement the reference circuit. In particular, the 
measurement based quantum computing model used in the protocol requires 
operations that are complex. Thus the general simulations are not unitarily 
equivalent to the reference circuit. We may view the conspiracy as "errors", 
in which case the claim that all errors will be caught during the interaction 
with the second prover does not hold: there are conspiracies in which both 
provers perform "errors" that cannot be caught at all. 

One counterargument to the above criticism is that all the general simula- 
tions would still provide the correct classical outcome, regardless, and hence 
the protocol is still sound. To be clear, we do not claim that the protocol is 
not sound, only that the proof is not sufficient. As well, this simply high- 
lights the second problem, which is a lack of a rigorous claim. The final claim 
is that any language in the complexity class BQP has an interactive proof 
with a BPP verifier and two non-interacting BQP provers. However, this is 
not immediate since the authenticated blind quantum computing protocol is 
not about recognizing languages in BQP, but performing quantum circuits. 
The implied mediating claim is that the two prover protocol, for any desired 
reference circuit, certifies that the reference circuit was performed, hence any 
language in BQP may be recognized by the protocol. 

Here it is unclear how to precisely say that the reference circuit was 
performed. The obvious interpretation, that the initial state was correct 
and each gate and measurement in the circuit was performed, is clearly not 
sufficient, since the general simulations (and even the unitarily equivalent 
simulations, if we are to be precise) defeat this claim. From the perspective of 
self-testing we may offer a more suitable claim: that the physical experiment 
was unitarily equivalent to either the reference experiment or one of the 
general simulations of it. As our counterargument above shows, this is the 
most that can be established. Fortunately, it is sufficient to imply the desired 
final claim: that all languages in BQP have classical interactive proofs with 
two non-interacting BQP provers. Unfortunately, there is currently no proof 
of such a claim. 

Future work. Show that the authenticated blind quantum computing pro- 
tocol, with two entangled provers, certifies that a general simulation of the 
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desired reference circuit was implemented by the provers. 
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4.1 Introduction 

Traditional quantum key distribution protocols, such as BB84 [BB84J and 
Ekert91 |Eke91] rely on a model of the physical devices being used in order 
to determine a secure key rate. In prepare and measure protocols, for ex- 
ample, a model of the source is used to determine to what extent Eve may 
differentiate between the various states sent and in all protocols a model of 
the measurements performed is incorporated into the parameter estimation 
portion of the protocols, deriving estimates of the states received. 

In contrast, device independent quantum key distribution (DIQKD) aims 
to provide security without relying on a particular physical device model. 
The intent is to provide a higher level of security. Physical devices used for 
implementing QKD protocols are vastly more complicated than the simple 
physical models used in security proofs, allowing for a mismatch between 
theory and reality. If the security models are not conservative enough this 
may lead to an insecure physical implementation of a theoretically secure 
protocol. 

In this chapter we describe the device model used in DIQKD and discuss 
the existing literature on the subject. In particular, we will be interested in 
the line of inquiry leading to the AMP06 protocol [AMP06J and subsequent 
reinterpretation in the DIQKD framework. We then consider the previous 
security models and provide some partial results extending security to a more 
general model. 

The original material in this chapter is published in |McK 09aj. 
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4.2 Literature review 



For the current work we are interested in four different lines of research. 
The first line of research is that of non-signalling based key distribution, 
from which the AMP06 protocol is drawn. The second is a pair of articles 
that introduce the notion of DIQKD and give a partial proof of security 
of the AMP06 protocol within the DIQKD framework. For our expanded 
proof we require some techniques from the literature on QKD security proofs, 
particularly those of Renner. Finally, it will be useful to review some concepts 
from the literature on Bell inequalities. 

4.2.1 Non-signalling key distribution 

The AMP06 protocol was introduced in [AMP06J, which belongs to the lit- 
erature on non-signalling based key distribution protocols. These protocols 
do not rely on quantum mechanics being correct for their security. Rather, 
they consider a wider context of probability distributions which are limited 
by being non-signalling. 

Non-signalling distributions 

Consider a probability distribution P(x, y\a, b) which assigns a probability to 
outcomes x and y for each inputs a and b. The inputs a and b are analogous 
to measurement settings in the usual QKD framework, with x and y the 
measurement outcomes. We associate the variables x, a with one location, 
controlled by Alice, and y, b with another location, controlled by Bob. 

We define a probability distribution of this form to be non- signalling 
according to the following definition 

Definition 4.1. A probability distribution P(x,y\a,b) is non-signalling if for 

every a, b, x, y 

1. P(x\a, b) = P(x\a) 

2. P(y\a,b) = P(y\b). 

The marginal distributions above are found by summing over the possible 
values of the variables not mentioned. For example 




v',< 



(4.1) 
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The definition of a non-signalling distribution says that the distribution of 
one outcome is not dependent on the measurement setting in the other loca- 
tion. Such distributions are consistent with general relativity and cannot be 
used to transmit information. 

Non-signalling key distribution makes use of different principles for se- 
curity than does QKD. While QKD uses measurements to perform some 
quantum state estimation (typically measuring deviation from a maximally 
entangled state), non-signalling key distribution uses correlation functions on 
probability distributions (measuring deviation from a non-local probability 
distribution). 

Often, Bell inequalities are central in the discussion of non-signalling key 
distribution, but the security of such schemes usually depends, not on the 
inequality itself, but on an analysis of the correlation functions that Bell in- 
equalities bound. The Bell inequality provides a lower bound on the strength 
of correlations necessary for secure key generation, since local distributions 
cannot generate secure key. However, the bound may not be tight, as in the 
CHSH based protocol considered by Masanes [Mas08j where even quantum 
correlations give a zero secure key rate. 

Non-signalling literature 

Non- signalling key distribution was anticipated by Barrett et al. |BLM + 05| 
with a study on the value of non-signalling distributions as information the- 
oretic resources that may be converted between one another much like how 
different entangled quantum states may be converted to one another using 
LOCC operations. Later, Barrett et al. [BHK05] introduced a proof-of- 
concept protocol which uses many trials to estimate the expected value of a 
correlation function and produces a single bit of secure key. Their protocol is 
not robust against noise and is inefficient in the use of the channel. However, 
this early work opened up the area to further research. 

Theoretical work in this area continued with results by Barrett et al. on 
monogamy of maximally entangled quantum states [BKP06J. They intro- 
duce a correlation function similar to that used in the chaining inequality 
|BC90j and show that if two parties in a 3-partite non- signalling distribution 
produces the same correlations achieved by a d x <i-dimensional maximally 
entangled quantum state (measured by the new correlation function) then 
the third party can have no information about the measurement outcomes 
of the first two parties. This opens up the potential for a higher dimen- 
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sional non-signalling key distribution protocol implement able by quantum 
apparatus. 

New protocols were introduced in |AGM06] and [AMP06] . Both of these 
protocols are based on the correlation function in the CHSH inequality 
|CHSH69] (see section glgg) . The latter is the AMP06 protocol which we 
will consider in detail in this chapter, and is a refinement of the protocol in 
|AGM06| . 

All security proofs up to this point were concerned with individual or col- 
lective attacks only. Proofs of security against general attacks were developed 
in |MRW + 06] . with universal composability achieved in |Mas08j . However, 
the proof makes some impractical assumptions. In particular, the probabil- 
ity distribution is assumed to be n + 1-fold non-signalling, with one party 
controlling n parts (corresponding to n trials) and the other controlling 1 
part (the n trials need not be non-signalling for the second party.) 



4.2.2 DIQKD 

Non- signalling protocols and security proofs perform poorly in a quantum 
context. As an example, we consider the two protocols analyzed by Masanes 
in |Mas08] . The first protocol analyzed is that presented in [AMP06J, which 
is also the first (and so far only) DIQKD protocol. This protocol has secure 
key rate in the non-signalling framework when implemented by quantum 
devices. The non-local correlations required for key generation cannot be 
generated by quantum devices. The second protocol relies on a larger num- 
ber of measurements. For a particular Bell inequality (the Braunstein-Caves 
inequality p3C90j ) quantum devices may (asymptotically in the number of 
measurements) achieve the same correlations as arbitrary non-signalling dis- 
tributions. This allows a quantum implementation that achieves the full 
non-signalling secure key rate, but practical implementation is problematic 
due to the large number of measurements required. 

Non-signalling based QKD is likely limited to a theoretical context be- 
cause of its impracticality in a quantum setting, but its reliance on a smaller 
set of assumptions than traditional QKD is appealing. For this reason Acin 
et al. [ABQ+07] [PAB+09] reinterpreted the protocol of |AMP06] in a quan- 
tum setting. The result is DIQKD. The initial work in this area consists 
of a proof of security in the quantum setting against a limited class of at- 
tacks. This class of attacks is analogous to the collective attack model in 
QKD and bears the same name. In this model the state is a tensor product 
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p®n Q f n identical states. This is measured by measurement devices with a 
fixed (but unknown) operation. That is, the measurement operators for each 
measurement setting are fixed. 

4.2.3 Security proofs in QKD 

The results in this chapter rely on Renner's PhD thesis on the security of 
traditional QKD |Ren05j . Renner's work provides a robust framework for 
security proofs of QKD protocols against general attacks. Renner's work is 
notable for several reasons. First, he adopts a composable security definition, 
which means that the final key is secure for any application [KRBM07J. 
Second, he develops and uses a finite version of the quantum de Finetti 
Theorem |Ren07] , which allows the security proofs to be applicable to general 
attacks in which the combined state across all measurements is arbitrary. 
Another important contribution is Renner's development of smooth min- 
and max-entropies, which play a major role in his security proofs and allow 
for finite, rather than asymptotic, analysis of security. 

In order to use Renner's framework with a particular QKD protocol one 
must consider the states and measurements used in the protocol and de- 
termine two things. The first is the set of states that pass the parameter 
estimation phase. These are found by considering the measurements used 
during parameter estimation along with various security parameters. Once 
this set of states is found one must determine the minimum secure key rate 
(found by calculating conditional entropies on the state) over all states that 
pass the parameter estimation phase. 

4.2.4 CHSH inequality 

The main idea for the AMP06 protocol is foreshadowed in Ekert's work on 
entanglement based QKD protocols |Eke91j . Ekert's protocol, Ekert91, used 
the CHSH inequality [CHSH69J (or rather the correlation function that the 
CHSH inequality bounds) to estimate how close the measured state is to a 
pair of maximally entangled qubits. This estimate was then used to prove 
that a secure key may be extracted. However, the state estimate is deter- 
mined assuming that the measurement devices exactly implement the Pauli 
X and Z basis measurements. The AMP06 protocol retains the use of the 
CHSH inequality but uses the black box device model. 
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The CHSH inequality is a Bell inequality utilizing two measurement set- 
tings and two measurement outcomes for two parties. The two parties, Alice 
and Bob, each randomly apply one of the two measurement operators to a 
bipartite state p and compare outcomes. The measurement operators are A a 
and Bb, where a, b G {0, 1} are the measurement settings for Alice and Bob, 
respectively. The operators A a and are Hermitian with eigenvalues 1 and 
-1. The CHSH operator is a non-local measurement defined by 

CHSH= A a ®B h (-l) ab . (4.2) 

0,6=0,1 

The CHSH inequality may be expressed as 

S = Ti(CHSHp) = Tr ( A « ® B bp) (- 1 )" 6 < 2 ( 4 - 3 ) 

o,6=0,l 

for local classical strategies, with an upper bound of 2\/2 for quantum strate- 
gies. Equivalently, we may use uniformly distributed random variables a, b G 
{0, 1} for the measurement settings and random variables x,y G {0, 1} for 
measurement outcomes, and derive the inequality 

p = P(x®y = ab) < 0.75 (4.4) 

for local classical strategies, with an upper bound of cos 2 | ~ 0.85 for quan- 
tum strategies. We say that a trial is successful if x®y = ab. In this notation 
the scenario may be described as a binary XOR game in which a referee sup- 
plies uniformly distributed queries a and b and receives replies x and y. Alice 
and Bob win the game if x © y = ab. 
The values p and S are related by 

S = 8p - 4. (4.5) 

Both of these quantities will be useful in this paper. We will be interested 
in the maximum value of S or p achievable by a state p, maximized over all 
possible measurements. We denote these values by S max (p) and p ma x(p)- 

Later, we need to determine S max (p) for a pair of qubits. For this, we turn 
to Horodecki et al. [HHH95] who did exactly the required calculation. Later, 
Verstraete and Wolf |VW02j gave a different presentation of this calculation, 
which we will use here. 
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We begin by writing 



P= £ ^U®V (4.6) 
u,ve{i,x,Y,z} 

with 

R uy = Ti(pU ®V). (4.7) 

We define a matrix R', with rows and columns indexed by X, Y, Z and entries 
Ru,v- Meanwhile, we may write the measurement operators as 

A a = £ s a>[ /C/ (4.8) 
ue{x,Y,z} 

B b = y, tb ' vV - ( 4 - 9 ) 

V&{X,Y,Z} 

We further define a matrix M by 

M=(s _\) (I)' (410) 

which is constrained by having Tr (M T M) = 4 and Rank(M) = 2. Then the 
value of the CHSH operator may be written as Tr (R'M). Using standard 
optimization techniques (least squares approximation) we find the maximum 
to be 2\/u 2 + v 2 where u and v are the largest singular values of R' (or square 
roots of the eigenvalues of R'(R') T . In the case where R! is diagonal, u and 
v are the two largest (in absolute value) of the diagonal entries. 

4.2.5 The AMP06 protocol 

The AMP06 protocol was originally described in [AMP06J and shown to 
be secure against collective quantum attacks in |ABG + 07] and |PAB + 09] . 
Two parties, Alice and Bob, share a small amount of secret key and wish 
to expand this into a larger key. They have access to an uncharacterized 
device which emits bipartite states, connected by quantum channels to a 
pair of uncharacterized measurement devices. Alice's measurement device 
has three settings, while Bob's has two. Finally, they have access to an 
insecure classical channel. They use some secret key to authenticate data 
sent on the classical channel. 
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1. Before beginning, Alice randomly chooses a list of m trials to be used 
for parameter estimation which she sends to Bob encrypted, using some 
private key bits. 

2. For each trial, Alice and Bob request a state from the source. If the 
trial is to be used for parameter estimation, Alice and Bob choose their 
measurement settings uniformly at random from {0, 1}. Otherwise Al- 
ice chooses setting 2 and Bob chooses setting 0. 

3. After all trials are completed, Alice and Bob announce their measure- 
ment settings. 

4. Alice and Bob publicly announce a permutation and reorder their trials 
according to this permutation. 

5. Alice and Bob estimate S, the CHSH value, from the parameter esti- 
mation trials. 

6. Alice and Bob perform error correction on the remaining trials, cor- 
recting Alice's outcomes to correspond with Bob's, resulting in the raw 
key. 

7. Alice and Bob perform privacy amplification on the raw key according 
to the secure key rate predicted by S. 

The above protocol could be efficiently implemented using quantum ap- 
paratus by a source of qubit pairs in the state \<fi + ) = ^ |00) + ^ |11), with 

Alice's measurements given by the operators X, Y, and Bob's mea- 

surement operators are and The security comes from the fact that 

in order to achieve a high value of S, the state that Alice and Bob measure 
must be close to \<f) + ) and hence Bob's measurements are uncorrelated with 
Eve. The efficiency of the protocol comes from the fact that Alice can align 
her measurement with Bob's a significant amount of the time and obtain 
strongly correlated results, so long as she chooses the other measurements 
often enough to detect any deviation in the state from \<f>+). 

Instead of choosing which trials to use for parameter estimation in ad- 
vance, Alice and Bob may choose their settings independently, saving some 
key. This introduces trials which are unusable (when Alice chooses 2 and 
Bob chooses 1) and unless Bob chooses and 1 uniformly, there will be some 
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parameter estimation settings that occur more than others. Conceptually it 
is easier to suppose that the parameter estimation trials are first chosen and 
then the settings are chosen uniformly. 

In |ABG + 07] and jPAB+09] the protocol requires that Alice and Bob sym- 
metrize their data by flipping their outcomes according to a random string 
which is publicly broadcast. This simplifies the analysis by introducing sym- 
metries in the quantum state. However, the symmetrization procedure need 
not be done in practice since it does not change the amount of informa- 
tion leaked to an adversary; Eve may account for the symmetrization in her 
own analysis after observing the public random string. Here we omit the 
symmetrization. 

4.3 Security models 
4.3.1 Black box model 

DIQKD uses a black box model of quantum devices as in self-testing. The 
devices are considered to be adversarial, always operating in such a way as 
to maximize the information leakage to Eve. Of course we must place some 
restrictions on the devices, otherwise they may simply transmit all their 
information to Eve. We require: 

Assumption 4.1. The measurement devices do not leak any information to 
Eve. 

The black box measurement devices have a quantum input, a classical 
input (measurement setting) and a classical output (measurement outcomes). 
Alice (or Bob for his device) has exclusive control of the classical input and 
output, and there are no other side channels. The quantum input is strictly 
input only. There can be no quantum or classical states "leaking" from the 
quantum input. We may model each device as a quantum channel that has 
two input registers, one the quantum input and the other the measurement 
setting, and one output register. Alice possesses both classical registers. 

The device model for DIQKD is sometimes described as "Eve provides 
the measurement devices." However, this depiction is only applicable if we 
can for some reason trust Eve not to build the device in such a way that it 
leaks information. Instead, the model should be understood as a theoretical 
tool which eliminates the dependance on a particular physical model. In a 
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secure physical implementation there must still be a physical model which 
makes assumption 4.1 reasonable. 



4.3.2 Collective attack model and security 

As described above, the protocol could be performed using the same de- 
vices over and over. Pironio et al. ( |PAB + 09j ) originally considered security 
against collective attacks, which relies on the assumption that the devices 
operate identically each time, and have no memory of the previous trials. 
For the source this means that state emitted over n trials has the form p® n . 
A physical implementation using devices that are used repeatedly must meet 
the following assumptions 

Assumption 4.2 (DIQKD Collective attacks). 

• On each trial the source emits p. 

• The combined state that the source emits is p® n . 

• The measurement devices have no memory. 

Pironio et al. proved security in this model with a secure key rate depend- 
ing on S and the error rate between the measurement outcomes for setting 
2 on Alice's side and setting on Bob's side. 

Theorem 4.1 (Pironio et al. |PAB + 09j ). The AMP06 protocol is secure 
against collective quantum attacks with secure key rate 

l-*( l±J«Hj ) -*(,)■ (4.11, 
where S is the CHSH value and q is the bit error rate. 

4.3.3 Memoryless device attack model 

In this chapter we will give a partial result on security in a more relaxed model 
than the collective attack model. We may describe it in two different ways: 
in a serial or parallel fashion, which are equivalent given certain assumptions. 
In order to illustrate the difference and how the current model differs from the 
collective attack model we give two descriptions of the latter. In the collective 
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attack model there are several trials, and each trial is identical; the states 
are identical and independent, and the measurement applied for each trial 
(for a given measurement setting) is the same. In a physical implementation 
we may consider two means of achieving this scenario. The first is a serial 
model where a source emits identical and independent copies of a particular 
state, which is measured by a measurement device which operates identically 
(for a given setting) each time it is used. In a parallel model, by contrast, 
each trial is implemented by a separate physical system (prepared in identical 
states) which is measured by separate devices (each operating identically). 
Clearly for the collective attack model these two physical depictions carry 
no theoretical difference. Physical implementation is of course easier with a 
serial model, while security proofs for QKD protocols typically rely on the 
parallel model. 

We now move to the memoryless device attack model. The goal is to 
achieve as general a security proof as possible. We consider first the parallel 
model. The most general attack model would be to allow any state and 
any measurement. Taken to the extreme, one may consider a single large 
POVM, dependent on the measurement settings for all trials, outputting the 
results for all trials simultaneously. A more restrictive model would have the 
measurement for each trial arbitrary, but operating on a separate physical 
system. The separation could be enforced by some type of shielding, which 



is already necessary to obtain Assumption |4.1 

Clearly a large number of space-like separated measurements is not prac- 
tical. A practical implementation could be made with single devices used 
serially, with only the following assumption: 

Assumption 4.3 (DIQKD Global attacks with memoryless devices). 

• The measurement devices have no memory. 

Suppose we operate the memoryless measurement devices in a lockstep fash- 
ion with the measurement settings so that the next measurement setting is 
only given to the device once the result of the previous trial has been given. 
In this case, since the devices have no memory, the various trials are com- 
pletely independent and the measurements on each trial commute with all 
other measurements. Thus this model is equivalent to the parallel model 
with measurements operating on separate physical systems. 

Thus we arrive at the memoryless device attack model. The source may 
emit any type of state, which may include a complete specification on how 
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the measurement devices are to operate on a particular trial, and the state 
may be entangled between trials. There is no restriction on the dimension 
of the state or on the form of the measurement operators. However, the 
measurement devices have no memory. 



4.4 Security of AMP06 

The main result in this chapter is to give a partial result showing that the 
AMP06 protocol described in |ABG+07| is secure in the memoryless device 
attack model. Unfortunately we are not able to give a full proof, and instead 
give a partial result which depends on a conjecture. To be precise, we give a 
proof of the following Theorem: 

Theorem 4.2. The AMP06 protocol is secure against qubit strategies with a 
symmetric state and memoryless measurement devices with secure key rate 

l- ft ( 1 + ^f^ )-%). (4.12) 

where S is the CHSH value and q is the bit error rate. 

We also outline how this can might be extended to qubit strategies with 
an arbitrary state and memoryless measurement devices. Unfortunately, the 
proof is incomplete: 

Conjecture 4.1. Permuting trials of a qubit strategy is equivalent to a qubit 
strategy with a symmetric state and a lower S max . 

Applying techniques from [P AB + 09] the result can then be extended to 
strategies with a state of any dimension. 



Theorem 4.3. If conjecture 4-1 is true, then the AMP06 protocol is secure 



against quantum attacks with memoryless measurement devices. 



4.4.1 Proof overview 

We will make extensive use of Renner's framework for QKD security proofs 
( |Ren05] chapter 6), but it will require adaptation in order to be applicable 
within the black-box model. In particular the parameter estimation in Ren- 
ner's framework assumes that the same measurement (for a given setting) is 
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applied for every trial, which cannot be assumed within the black-box model. 
Also, the finite de Finetti Theorem is sensitive to the dimension of the Hilbert 
space. Since in the black-box model the Hilbert space is unknown, we cannot 
use the finite de Finetti Theorem directly to obtain any bounds. 

In addition to solving the above problems, we must also characterize the 
set of states that pass the parameter estimation phase (in this Bell 
inequality) and determine the minimum key rate for these states. For this 
stage we will make use of state parameterization and entropy bounds from 
jPAB+09] . 



Overview of Renner's security proof 



Since our proof of Theorem 4.3 is an adaptation of Renner's security proof, 
we sketch the steps in that proof here: 



1. Permute trials to obtain a symmetric state 

2. Apply the finite de Finetti Theorem 

3. Measure m trials and apply parameter estimation Lemma 

4. Measure remaining trials to obtain the raw key 

5. Estimate the min-entropy of the raw key 

6. Apply classical post-processing to obtain final key 



The final security claim consists of an estimate of the trace distance (in- 
duced by the 1-norm) between the processed measurement outcomes and a 
uniformly random key independent of Eve. In order to obtain this estimate 
we make use of two tools: the triangle inequality and the fact that trace 
distance is non-increasing under quantum operations. This produces a chain 
of inequalities finally ending with the security claim. 



Outline of proof of Theorem 4.3 



Our proof follows the same sketch as that of Renner's security proof, but we 
must make adaptations at all but the last step: 



1. Reduce arbitrary strategies to qubit strategies 
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2. Show permuting trial outcomes is sufficient in the black box model 



3. Prove new parameter estimation Lemma for black box model and CHSH 
value 

4. Minimize min-entropy over possible measurements 

5. Estimate min-entropy from CHSH value estimate 

6. Apply classical post-processing to obtain final key 



The physical model we use in the proof is that of many parallel trials 
where the state for each trial is contained in a pair of subsystems (one for 
Alice and one for Bob), as introduced in section 4.3.3 Some careful thought 
will show that all the procedures used can be either serialized or performed 
once all the quantum systems have been measured solely using the classical 
data. 

The remainder of this section is divided into subsections devoted to each 
of the above steps. 



4.4.2 Reduction to qubit strategies 

Before we can use Renner's QKD proof framework we must first fix the 
dimension of the subsystems. This is because the finite de Finetti Theorem, 



described below in section 4.4.3 is sensitive to the dimension. In particular, 
if the dimension is unbounded then no conclusion may be drawn. Since 
we have no a priori bound on the dimension, we must make some form of 
reduction. Our main tool will be the following Lemma, which is originally 
due to Jordan |Jor75] , but has been rediscovered many times. Modern proofs 
appear m |Mas06bj and [PAB+09j . We will use the formulation appearing in 
jPAB+09j . 

Lemma 4.1 (Pironio et al. [P AB+09] Lemma 2). Let A and A 1 be two 

operators on H with two eigenvalues. Then A and A 1 can be simultaneously 
block diagonalized with block sizes 2x2 and lxl. 

Corollary 4.1. Let A and A 1 be two Hermitian operators on % with di- 
mension In or2n—l and eigenvalues 1 and -1, then there exists an isometry 
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F from % to T-L n <g> 7^2 md Hermition operators A a ' z on I-L2 with eigenvalues 
1 and -1, such that 

F(A a ) = ^ \z){z\ <8> A a,z (4.13) 

2 

wift A"' 2 " 2x2 operators with eigenvalues in {1,-1}. 

This corollary says that we can think of applying one of these two observ- 
ables as first applying a projection to learn z. The value of z then simulta- 
neously determines a measurement strategy for either measurement setting. 
Importantly, the projection onto z can be applied before learning the mea- 
surement setting. This will allow us to consider an arbitrary strategy as a 
probabilistic combination of qubit strategies. 

Let A°j be the observable for Alice 's mesaurements on the jth trial with 



setting a, and analogously for Bob. We apply corollary |4.1| to pairs of ob- 
servables A® and Aj to obtain isometry Fj, from the Hilbert space of the 
original state to Z^ ® %2- The result is that we can map A a - 3 to 



®A^ Z] (4.14) 



with the W z . commuting for different j. We do the same with observables B® 
and Bj and map B h ? to 

ni.SBf' (4.15) 



At this point we may decompose Eve's strategy into qubit strategies, 
indexed by z = (zi, . . . , z n ) and w = (wi . . . w n ). However, we make a further 
simplification. It may be the case that some A-' 3 is either / or —J, and the 
measurement outcome is fixed. We may replace the state for Alice's jth qubit 
in each strategy (z,w) for this value of Zj with |0) or |1) and replace A^ 1 
with Z . This new strategy is identical in terms of Eve's information and the 
outcomes as the previous strategy. Applying this reduction many times we 
obtain a strategy in which each measurement operator is 2-outcome. This 
is important since our proof of security for qubit strategies will make this 
assumption. 

As a final reduction, we note that different trials may have different sized 
Hilbert spaces. We may map the Hilbert space for each trial to the maximum 
sized Hilbert space, leaving the state intact and extending the measurement 
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operator onto the extra dimensions in any arbitrary fashion. This makes no 
change in Eve's information or the measurement outcomes. 

We have mapped a strategy of Eve to a strategy with state p on Hilbert 
space Z ® ("Hf n )A <S> (^f n )s with measurement operators of the form above. 
Note that we may perform a projective measurement with projectors UP for 
each j to determine all the zj and analogously for Bob's side to determine the 
WjS before determining the measurement setting without changing anything, 
since these projectors commute with the measurements A a -' and Bj. Eve 
loses nothing by performing this measurement herself, so we may assume 
that she does so and learns (z,w). We may also suppose that we first project 
the state down to a block diagonal state since this operation commutes with 
measuring (z, w). The result is that any strategy is equivalent to one in which 
Eve prepares a mixture of qubit strategies. We may further suppose that Eve 
holds the purification for each possible qubit strategy and only increase her 
power. 

We have reduced all possible strategies to a mixture of strategies on 
qubits. 

4.4.3 Reduction to symmetric qubit strategies 
Symmetric states and the de Finetti Theorem 

A symmetric state on n subsystems is a state that is invariant under permu- 
tation of the subsystems. For our purposes the subsystems will correspond 
to different trials in the DIQKD protocol. One set of particularly useful 
symmetric states is the symmetric subspace along a state. 

Definition 4.2. The symmetric subspace of "H® n along |0)® n_r is the sub- 
space spanned by states 



for any \(j>') on %® r and operation U which permutes the subsystems. This 
subspace is denoted by Sym(T-L, \(f))® n ~ r ). 

This subspace is important because the states in it are very close to sym- 
metric product states, and are hence easy to work with. The finite quantum 
de Finetti Theorem allows us to break symmetric states into a mixture of 
these near-product states. 




(4.16) 
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Theorem 4.4 (Renner |Ren07] Theorem 4.3.2). Let p e H® n+k be a pure, 
permutationally invariant state and let < r < n. There exists a measure v 
on the normalized pure states ofH, and for each normalized pure state \<fi) 
inH a pure density operator p^ on Sym(H, |0) 0n ~ r ) such that 

Tr k {p)- J p^) < 2 exp {- ^ + 1 d im(H) In kj (4.17) 

Here Trfc(-) means tracing out any k subsystems. 



Does permuting trials imply a symmetric state? 

In the Renner's QKD security proof a symmetric state is implied by the 
fact that Alice and Bob randomly permute their measurement outcomes. 
Although this operation does not operate directly on the state, it commutes 
with the measurements since the measurements are identical for each trial 
(for a given measurement setting) and the measurement settings are chosen 
uniformly at random. In the black box scenario the former is not true and 
the measurements may differ for each trial. 

For general strategies we may repair this problem by mapping a strategy 
to a larger Hilbert space by attaching to each trial a variable indicating its 
position. Then the measurement operators may all be replaced with a single 
measurement that reads this new variable and implements the appropriate 
measurement strategy. The measurements are then all identical, but the 
dimension has been multiplied by the number of trials. We then permute 
outcomes, which is equivalent to permuting the state. 

Unfortunately, this does not help us. A symmetric strategy does not 
necessarily reduce to a mixture of symmetric qubit strategies. Since we 
aim to apply the quantum de Finetti Theorem at the qubit level (since the 
Theorem is sensitive to dimension) we must have a symmetric qubit state. 

From this point we offer a possible means of providing a symmetric qubit 
strategy from an arbitrary qubit strategy. Unfortunately, this method will 
result in a decrease in the secure key rate as we detail below. The main idea 
is similar to the usual argument: permute the results and show that this is 
equivalent to a symmetric state, but the symmetric state we obtain will have 
a different S max than the original state. 

To begin with, we identify the critical security constraint: measuring the 
original state p and permuting the outcomes must be the same as measuring 
the symmetric state p' . We may satisfy this constraint as follows. When 
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permuting p to obtain p' we must identify the basis in which we are working. 
Since p is provided within a black box device, we have no natural basis to 
use. Instead, we will specify one. The ideal candidate is for the B side 
basis of each trial to be the eigenbasis of B . That is to say, we choose the 
B side basis for each trial so that B = Z. Then we partially recover the 
QKD mechanism: measuring p according B on each trial and permuting the 
outcomes is the same as measuring p' according to B . 

In order to provide a full solution we must also be able to estimate S max 
for the trials in p' (it is the same for each trial), but p' is merely a convenient 
fiction. However, p' is derived from p and we may hope to provide a lower 
bound using the average S max for p (averaged over all trials). In order to do 
this we must specify the basis for the A side of each trial. 



Recall from section |4.2.4| that we may express the CHSH operator as a 
matrix M indexed by the Pauli operators X, Y, Z. We may choose our bases 
so that A and Ai lie on the X, Z plane of the Bloch sphere. For the B side 
we have already fixed B = Z. By choosing an appropriate phase reference 
we may also have B\ on the X, Z plane. Then we may consider only the 
entries of M indexed X and Z since the others are all 0. 

Ideally, we would choose the bases so that M is diagonal with positive 
entries, but since B is already fixed this will not be possible in general. 
We still have some freedom in the choice of the A side basis, though, and 
we may arrange it so that M is symmetric with positive diagonal. Recall 
that S = Tt(R'M), where B! is determined by the state. Thus the only 
parameters of R' that matter are the entries R'xxi R'zz-i an d R'xz = R'zx- 

The goal at this point is to show that averaging S max over trials puts a 
lower bound on S max of the symmetrized state. There are only three param- 
eters in this analysis, so the hope is that it can be accomplished. Unfortu- 
nately, we have not been able to derive the bound. Thus the result remains 
a conjecture. 

4.4.4 Parameter estimation in symmetric qubit strate- 
gies 

At this point we need to develop techniques for estimating the CHSH value 
of states in Sym(TL, |0)® n_r ). This is analogous to Theorem 4.5.2 in |Ren05] . 
However, in that case the measurement operations on each subsystem are all 
known and identical. In our case the measurements are not in our control, 
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and we may have no description of them. Fortunately this is not a very 
important issue. The CHSH value that can be achieved by a particular state 
is a property of the state itself. If the measurements used are not optimal, 
then the observed CHSH value can only be lower than if the measurements 
are optimal. Since we are only interested in lower bounding the CHSH value, 
this is sufficient. Any CHSH value that we observe will (leaving statistical 
fluctuations aside) be a lower bound on the maximum CHSH value achievable 
by the state. 

Lemma 4.2 (Parameter estimation). Let G Sym('H2 <8> |0) 0n+m_r ) 
and let p = p max (\(f>)) be the maximum expected value for success on the 
CHSH test on \<f>), optimized over all measurements. Let Y be the number 
of successes after conducting the CHSH test on the first m subsystems of 
according to any measurement strategy. Then for fi > 

— *2(mti — r{\ — z?^! 2 r 

P (Y/m > p + u) < exp — ; . \ ," + (n + m)h( ) In 2. 

(n — r)cos 4 7r/8 n + m 

(4.18) 

The proof has two main steps and parallels the proof of Renner's Theorem 
4.5.2 |Ren05j . The step first is to bound the given probability for states of 
the form n(|0) (g,m_r ® W)) f° r some permutation n. Next we use Lemma 
4.1.6 of Renner which that says can be expressed as a superposition of a 
small number of such states and use Lemma 4.5.1 of Renner which bounds 
how much the probability can change for such superpositions. 

Proof. We now suppose our system is in the state l^') = |0) 0nw <S> \4>') for 
some on r subsystems. (We may also permute the subsystems without 
changing the argument.) Let Xj be the random variable corresponding to the 
success or failure of the CHSH test on the jth subsystem for the measurement 
strategy actually used (which may vary with j). Since the measurement 
strategy cannot do better than the optimal strategy, we have E(Xj) < p for 
1 < j < m — r and E(Xj) < cos 2 | for j > m — r. Applying Hoeffding's 
inequality ( |Hoe63j ) to the first m — r subsystems, we obtain for t > 1 

(m—r \ nr ,j 

\ — 2(m — r)t 

^Xj > (m-r)(p + t)\ <e cos4 f . (4.19) 
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The remaining r subsystems cannot add very much if r is small. Thus 



( m \ - 2 ( m -r)t Z 

> m(p + t)+r(l-p-t)\ <e cos4 f . (4.20) 

where m(p + 1) + r(l — p — t) = (m — r)(p + 1) + r and the additional r upper 
bounds the value of Y^j= m - r +i Xj- 

We now turn our attention back to Let z be an m-tuple with Zj = 1 
if the jth trial is successful and Zj = if it is a failure. We may write the 
measurement operator for the CHSH tests together as one large projective 
measurement {M z } with M z the projector corresponding to the outcomes 
of success and failure given according to z. Then the probability of getting 
the success/failure outcomes according to z is M z \ip). Note that M z is 
positive semi-definite. 

We are only interested in the number of successful outcomes, which is 
given by w(z), the Hamming weight of z. We can restate the above result as 

-2(m-r)t 2 

(tp'\M z \ip') < e cos4 f . (4.21) 

w(z)>m(p+t)+r(l— p— t ) 

Now suppose that is in Symffi, |0) (gln+m ~ r ). We can express \ip) as 
a superposition of states of the form \(j)) n+m ~ r £g> \<f)'} up to permutations of 
subsystems. We can apply the above argument to each of these terms in the 
superposition. We are only measuring m of the subsystems, so depending on 
the permutation anywhere between m — r and m of the subsystems may be 
in the state \<p). Note that our bound still applies since the last r subsystems 
are arbitrary. The following two Lemmas from |Ren05j bound how much 
error may be introduced by this procedure. 

Lemma 4.3 (Renner |Ren05] Lemma 4.5.1). Let = XLex \ x ) an ^ ^ P 
be a positive semi- definite operator, then 

(i/j\P\iIj) < \X\^2 (x\ P \x) . (4.22) 

Lemma 4.4 (Renner |Ren05] Lemma 4.1.6). Let \tp) be a state in Symffl, \<fi)® n ~ r ). 
Then there exist orthogonal vectors \x) , which are permutations of \<fi)® n ~ r ® 
1 0a;) f or x (z X such that is in the span of the \x) for various x, and 
\X\ < 2 nh ( r l nS> where h(-) is the binary Shannon entropy. 
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Applying these results we obtain 

-2(m-r)t 2 

M M * Wl ^ e cos4 f 2 {n+m)/l{ ^ ) . (4.23) 

«:(2)>m(p • f) :-r(.l — p— i) 

Rewriting as a probability, we get 

-2(m-r)t 2 

P (y > m(p + t) + r (1 -p - t)) < e cos H 2 (n+m)/l( ^ ) (4.24) 
or, equivalent ly 

P (y/m > p + a) < exp ( ~ r ( 1 ~ P?j + ( n + m )/t( r ) l n 2^) . 

v 7 V (m-r)cos%/8 V ; y n + m' J 

(4.25) 

□ 

4.4.5 Estimating conditional entropies 

In this section we put some bounds on conditional entropies which will later 
provide us with the asymptotic key rate. We begin with a 2 qubit state pabe, 
to which Eve holds the purification, with the property S max (pAB) — S. We 
then measure Bob's system with an adversarial measurement and estimate 
H(X\E), the entropy of Bob's outcome conditioned on Eve's system. 

There are several tasks. First, we show that we may take p to be a Bell 
diagonal state on Alice and Bob's qubits. Second, we estimate S max (pAB) 
from the eigenvalues of a Bell diagonal state. We then use this estimate to 
bound certain entropies on the eigenvalues of the state. Finally, we esti- 
mate H(X\E), minimized over possible measurements. Once these tasks are 
complete we may bound H(X\E) using a function of S max {pAB)- 

The material in this section largely follows Pironio et al.'s argument in 
|PAB + 09j . We indicate where we deviate from their work. 

Bell diagonalization 

We now prove the following Lemma: 

Lemma 4.5. Let pab be a given two qubit state with measurements A a and 
B b and consider H(B\E), where B is Bob's system after being measured by 
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B°, and E indicates Eve's system, which is a purification of Pab- If there 
exists f such that 

H(B\E) < f(S max (p AB )) (4.26) 
for all Bell diagonal Pab, then the bound also holds for arbitrary pab- 

We begin by supposing that all marginals of pab after being measured by 
Alice or Bob are uniform. Pironio et al. originally considered a protocol in 
which Alice and Bob actively symmetrize the marginals of their measurement 
outcomes by flipping each outcome randomly and announcing whether or 
not they did so. This is fine for qubit strategies, but is slightly problematic 
for arbitrary strategies since a strategy on a larger Hilbert space may have 
symmetric marginals but decompose into qubit strategies which do not. Here 
we offer a different argument that arrives at the same conclusion: we may 
take the marginals to be symmetric without compromising security. 

Consider any qubit strategy. We may fix any basis for our discourse, so we 
choose one so that A and A 1 are in the X, Z plane of the Bloch sphere, and 
analogously for Bob's measurements. We may produce a new qubit strategy 
by applying Y <g> Y to the state. This simply flips all outcomes, so it has 
the same S max and error rate, and gives Eve the same information. Now 
consider a strategy which is formed by combining the two states with equal 
probability, with Eve recording which one is performed. This strategy again 
has the same S max , error rate, and gives Eve the same information. Thus we 
may consider this final strategy alone, and if it is secure then so must be the 
original strategy. 

We now return to Pironio et al.'s argument with a presentation of the 
proof of Lemma 3 from |PAB + 09j . We retain the basis above, with the 
measurements on the X, Z plane and assume that Y <8> Y has been applied 
with probability 1/2. In the Bell basis we obtain 



Pab 



( ^+ 


Tie 1 





\ 


ri g-«6»i 
















A^_ 









r 2 e~ ie2 





(4.27) 



since \<f> + ) and are eigenvectors of Y <8> Y with eigenvalue 1 while the 
other two Bell basis vectors have eigenvalue -1. 

There is still freedom in the choice of basis, and we may make a rotation 
about Y on both Alice and Bob's side while keeping the measurements on 
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the X, Z plane. The rotation angles may be chosen (see jPAB+09] Lemma 3 
for details) to obtain 



Pab 





iri 
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(4.28) 



Finally, we apply an argument analogous to the marginal symmetrization 
and find that an equal mixture of the above state and its complex conjugate 
gives the same security. This mixture has no off-diagonal entries in the Bell 
basis, and thus is Bell diagonal. This allows us to consider only Bell diagonal 
states. 

Estimating S max 

We prove the following: 

Lemma 4.6. Let pab be a given two qubit Bell diagonal state. Then 



S ,1 



•Xpab) > tV2sJ (A 0+ - A^) 2 + (A _ - A^ + ) 2 . (4.29) 



Proof. First, we recall the definition of R' from section 4.2.4| For Bell diag- 
onal operators we find 

(A<£ + — + A^ + — 

— A^ + + A^_ + X-,p + — X-,p_ 

A^ + + \ ( / ) _ — A^ + — X^_ 

(4.30) 

Note that R! is diagonal. Using Rxx and Rzz as the largest in absolute value 
(if this is not then case, then we still get a lower bound) we find exactly the 
desired lower bound on S^a,]]] □ 

Entropy inequalities 

We prove: 



1 Note that in [PAB+09 , Lemma 7 S max is found as a maximum over two values. The 



second of these values is obtained for measurements in the (Z, Y) plane. 
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Lemma 4.7 (Pironio et al. |PAB + 09| Lemma 6). Let pab be a two qubit 
state. Then 

h(X) - h(\* + + A, J < h ^ 1 + V(S max (a AB )/2 l^ 

where h is the Shannon entropy. 

The proof is long and technical, so we refer the reader to |PAB + 09"] for 
details. Briefly, the proof introduces a parameterization of the As in terms of 
S and two other parameters. Then the entropies on the left hand side of the 
bound are written in terms of this parameterization. Finally, optimization 
techniques are used to find the maximum, giving the required bound. 

Bounding H(B\E) for Bell diagonal states 

Lemma 4.8. Let pab be a two qubit Bell-diagonal state with eigenvalues X, 
purified on system E. Suppose the B system is measured with an observable 
in the X, Z plane to obtain random variable Y . Then 

H(Y\E)>l + h(\* + + \*_)-h(X). (4.32) 




Although this Lemma does not appear in |PAB + 09] . the proof roughly 
follows that of Lemma 5 from [P AB + 09"] . We fill in several details, including 
the derivation of pye and the calculation of its eigenvalues^] 

We begin with a slight change of notation which will allow more compact 
formulas below. We may write the Bell states as 

i^) = 4 E(- 1 ) rt i r >i r ® s > ( 4 - 33 ) 

V 1 r=0,l 

with = |0oo), 10-) = |0oi), \ip+) = |0io) and |^_) = \<hi). 
We may write a purification of pab as 

\^abe) = ^= Yl V^t(-l) rt \r)\r®s)\e st ). (4.34) 

V 2 r ,s,t=0,l 



2 Note that in |PAB+09| there is a typo in equation 31. The final a should appear with 
|e3) rather than \e4). Also, the final eigenvalues contain a cos 20 rather than cos AO here. 
This is due the fact that </> is an angle in the Bloch sphere and so corresponds to 20. 
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Tracing out the A system may be accomplished by measuring in the Z 
eigenbasis and ignoring the outcome, obtaining a mixture of the two non- 
normalized states: 

EVr |s0;r)( " irt|est) (435) 

s,t 

for x — 0, 1, corresponding to the two reduced states on obtaining outcome 
x. 

Next we measure the B system in the basis q |0) + qi |1) / qi |0) — q |1) 
with ql + q 2 = 1. For outcome y the system is left in a mixture of the two 
non-normalized states 

E I s © (-1)***' |e sf > (4.36) 

for £ = 0, 1. The state py# is then a direct sum of two blocks. The blocks 
may be written as 

M y = J2 ^v/A^g^e^^e^l-^^^^^lestXe^l (4.37) 

s,t,u,v,x 

Finally we determine the eigenvalues of pye, which is the direct sum of 
the two mixed states above. For each block (corresponding to a particular 
outcome y) we may obtain the eigenvalues using the following procedure: 
determine the trace of the block (which in this case is 1/2 for each block since 
either outcome is equally likely for pab Bell diagonal). Next we determine 
the trace of the square of the block. Since each block is a mixture of two 
states, there will be two eigenvalues, A„, for w — 0, 1. Then for block M we 
have m = Tr(M y ) = A + Ai and n = Tr(M^) = Ag + Af. We solve for A w in 
terms of m and n by noting that m 2 = n + 2AoAi, subbing in Ao = m — Ai, 
and solving the resulting quadratic for A . We obtain 

A * = ^^ + (- 1 )V 2n "i)- (438) 
Squaring M y and tracing we obtain 

Tr (My) = -^st^uvq{x®y®s)q{x®y®u)qz®y®sq z ®y®u(— l)( x ® z )(*®"). (4.39) 

s,t,u,v,x,z 
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Fixing s, t, u, v and summing over x and z, we find that the qs sum to 

r (Qo + (fi) 2 = 1 t = v,u = s 

(q 2 -qf) 2 t^v,u = s 

|4(go9i) t = ^,M^s 

[0 t v,u ^ s. 

We may write g = cos#, q\ = sin#, in which case (q 2 , — q\) 2 = cos 2 29 = 
±±f^, g 2 g 2 = sin 2 29 = l=f^, and 

Tr(M y ) = - (Aq + Aqx + A 2 + A n + AooAoi + AooAio + AoiAn + AioAn) 

(4.41) 

cos 40 

H t — (AqoAoi — AooAio — A iAn + AioAnJ . 

Collecting some terms, recalling that ^ st A st = 1, and factoring we obtain 

l - (1 + (A 00 - A n ) 2 + (Aoi - A 10 ) 2 + 2cos4fl(A 00 - A n )(A i - A 10 )) . (4.42) 
Substituting in, we find 

K, = \(l + (-lr^A^ -A^_) 2 + (A _ -A v , + ) 2 + 2cos40(A ( ^ + -A^)(A _ -A^ + ; 

(4.43) 

Each eigenvalue occurs with multiplicity 2, for the two values of y. Recall 
that for state p YE , H(Y\E) = H{p YE ) - H{p Y ). We find H(a YE ) to be 
1 + h(A + ), which is minimized for 9 = if the term with cos is positive, 
or 9 = 7r/4 when the term with cos is positive. In these cases we obtain 
A + = A^, + + A<£_. Meanwhile, the state p E has the same eigenvalues as 
Pab since p E is the purification. The eigenvalues are thus given by A, so 
H(E) = h(X). We obtain 

H(Y\E)>l + h(\t + +\t_)-h(\). (AAA) 

Bounding H(Y\E) in terms of S 
We finally obtain the bound we seek: 
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Lemma 4.9. Let pab be a 2-qubit state, measured on the B system in the 
X,Z plane to obtain a system X. Further suppose that pab is purified by 
system E. Then 

ffra >,.i(li«Ei] (4.45) 



4.4.6 Security for qubit strategies on symmetric states 

In this section we restrict our attention to the case where the state source 
emits a pair of qubits and the devices each measure one of these qubits. Our 
proof of security is derived from the one given by Renner in |Ren05] . The 
main difference is in the parameter estimation. Central to the argument is the 
finite quantum de Finetti Theorem published in |Ren07j . Security for qubit 
strategies follows from the same proof as Theorem 6.5.1 in |Ren05j . with 
different parameters. Since the proof is laid out in great detail in |Ren05j we 
will only sketch the proof and indicate the necessary changes. 

We begin with a symmetric state n+m+k pairs of qubits, which we purify 
(according to Lemma 4.2.2 of |Ren05j ) on Eve's system to a pure symmetric 
state p. Importantly, the purification is symmetric even when considering 



Eve's systems. According to the finite quantum de Finetti Theorem (4.4), 
we may drop k subsystems and obtain 



Tr fc(p) - J pM<f>) 



< §e (4-46) 



with e Sym{Hf A , |0}® n m_r ) and r depending on n, m, k, e according to 
table 6.2 of |Ren05] . We next apply parameter estimation by measuring m 
systems with measurement settings chosen uniformly at random for Alice 
and Bob, and determine the number of CHSH successes, y. Then — is our 
estimate of p. If this estimate is below some threshold, pthres + A* (Pthres is 
used to determine the key rate in the privacy amplification phase) we abort 



and map the state to 0. According to Lemma 4.2, if we choose p to be 



" = I V (" ln 2 i ~ (n + m)h fc) ln 2 ) (m - r) cos4 1 (447) 

then the true value of p is lower than — — p, only with probability less than 
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|e. Thus we may apply the parameter estimation to obtain 



'v 



< \e (4.48) 



where we restrict the integral to the set of states \<p) which have CHSH 
probability of success pthres or higher (denoted by V). The PE superscripts 
indicate the application of the parameter estimation protocol. 

We now have (if the protocol did not abort) a state p PE which is nearly 
indistinguishable from a mixture of near-product states each with CHSH 
success probability better than pthres- We may characterize the smooth min 
entropy of this family of states and apply privacy amplification, deriving a 
security bound for the finite case. However, the calculation is essentially the 
same as it appears in |Ren05] and is beyond our scope. Instead, we will 
appeal to the final result and calculate the asymptotic key rate. 

In |Ren05j . Corollary 6.5.2 we find the asymptotic key rate after privacy 
amplification to be 

min H(Y\E)-H(Y\X) (4.49) 

<*AB -Omax (TAB )><-> 

with H(Y\E) and H(Y\X) evaluated for state <Jab, and S = Spthres — 4, 
while X and Y are the classical outcomes for Alice and Bob upon measuring 
gab- The system E is Eve's system, which we take to be a purification of 
(Tab- Additionally, we must minimize over measurement strategies of Bob's 
devices. 



By Lemma 4.9 the secret key rate is thus bounded below by 



t _ h . i + vww^ \_ %) (450) 



where H(Y\X) = h(q) and q is the bit error rate between Alice and Bob's 
raw keys (Alice error corrects). This is the same asymptotic rate achieved 
in |ABG + 07j . Note that there is no relationship between S and q, since 
Alice's raw key comes from an unknown measurement. Her measurement 
may measure p or some other system. In all cases it is possible for q to range 
from to 1, regardless of the value of S. 
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4.5 Issues with practical implementations and 
discussion 



Since DIQKD aims to provide higher security in practical implementations 
than QKD we must carefully examine the extent to which this is true. In 
particular we must address issues regarding the selection of measurement 
settings. 

4.5.1 Detector efficiency 
Detector efficiency loophole 

A common complaint against DIQKD is the detector efficiency loophole, 
which was originally studied in the context of Bell inequalities. In prac- 
tical optical experiments the detectors in the measurement devices do not 
always record a photon when it is present. This means that some trials in 
a Bell experiment give a "no outcome" result. In a non-adversarial setting 
this is not problematic, but if we suppose that the measurement devices are 
adversarial and we discard "no outcome" results then the adversary may 
selectively choose a "no outcome" result, allowing them to post-select for 
favourable conditions. In particular, the devices may post-select for a partic- 
ular measurement setting, allowing the adversary de facto control over the 
measurement settings. 

Consider the following strategy. Eve determines, for each trial, a mea- 
surement setting and outcome for Alice's device and an adaptive strategy 
for Bob's device. Alice's device waits for the measurement setting input and 
if it does not agree with the predetermined setting then the device gives no 
output, as though the photon was lost. On the trials for which an output is 
produced, the adaptive strategy in Bob's device allows for S = 4 since the 
measurement and outcome on Alice's side is known. 

In the above strategy the detector efficiency of Alice's side is 0.5 and on 
Bob's side it is 1. By randomly exchange roles, so that Bob's measurement 
setting is post-selected, we obtain a randomized strategy with efficiency 0.75 
for both Alice and Bob's detectors. Thus for detector efficiency below 0.75 
there is a local hidden variable model which obtains 5 = 4. 

Clearly if the observed detector efficiency is too low then DIQKD is not 
secure; the devices may seem to be lossy, but in fact are implementing a pre- 
determined strategy that allows Eve to know all information. How efficient 
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must the detectors be to obtain a secure DIQKD implementation? Currently 
there has been only minimal study of the robustness of DIQKD against low 
detector efficiency Pironio et al. |PAB + 09] consider a scenario where "no 
outcome" results are assigned a random outcome. In this case the ineffi- 
ciency of the detectors translates directly into effective noise. Their analysis 
concludes that a positive key rate is achievable for detector efficiency over 
92.4% and they provide a bound for maximum key rate vs. efficiency using 
this strategy. 

A proper analysis of DIQKD accounting for detector efficiency would 
likely use a modified CHSH inequality. It is possible to derive Bell type 
inequalities that account for detector efficiency (see |Ebe93] for one such 
derivation) which could be used to characterize a set of quantum states which 
from which secret key may be extracted. An important roadblock in this 



program is the fact that Lemma 4.1 is restricted to observables with two 



outcomes and no extension is known. 

Future work. Derive robust security bounds for DIQKD that take into ac- 
count low detector efficiency. 

In practical implementations we may make the following assumption: 

Assumption 4.4 (Fair sampling). The efficiency on each trial of Alice and 
Bob's detectors is independent of the measurement setting. 

With this assumption in place there is no post-selection of measurement 
settings and the problems outlined in this section do not exist. Of course 
this assumption is clearly not satisfied in practical settings, as outlined below. 
Nevertheless, in security proofs the assumption is often made implicitly. 



Comparison with QKD 

Although the detector efficiency loophole is sometimes given as reason for 
preferring QKD over DIQKD, this argument does not hold. In fact, QKD is 
also susceptible to the detector efficiency loophole. This point is usually not 
addressed, since the devices are considered to be under Alice and Bob's con- 
trol, and hence the efficiency could not vary depending on the measurement 
setting. As a concrete counterexample to the validity of this assumption, we 
consider the class of attacks based on detector efficiency mismatch. 

Detector efficiency mismatch attacks were described by Makarov et al. 
|MAS06a] and have been implemented against commercially available QKD 
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systems by Zhao et al. [ZFQ + 08 . Generally speaking, detector efficiency 
mismatch attacks exploit the fact that different detectors are often used 
for different measurement settings, and individual detectors differ in their 
efficiency. The specific attacks implemented by Zhao et al. are called time 
shift attacks. These attacks are viable against detectors operating in gated 
mode, where they become sensitive for short periods of time. The efficiency 
of the detector thus varies over time in a way that is specific to individual 
detectors. The detector for one measurement setting has a relatively high 
efficiency at a time when the detector for another measurement setting has 
a low efficiency. In this case Eve may selectively adjust the arrival time of a 
photon to match the period where the efficiencies are mismatched, favouring 
one measurement setting over the other. 



4.5.2 Coincidences and timings 

Since the likelihood of a photon being absorbed within the air or a fibre optic 
cable is so high, and stray photons and dark counts generate detector clicks 
when no signal photon is present, it is common to record the timing of detec- 
tor clicks at both Alice and Bob's labs and look later for coincidences, which 
are times when a detector clicks for both Alice and Bob. These coincidences 
are then used as the raw data for the remainder of the protocol. 

Although convenient, finding coincidences may introduce side channels. 
For example, if there is also some detector inefficiency mismatch then precise 
timing data could reveal that a coincidence occurred at a time when the 
detector is more efficient than another, in which case Eve will learn that one 
measurement setting or measurement outcome was more likely than another. 
Another attack using timing information was described by Lamas-Linares 
and Kurtsiefer in |LLK07j . There the specific entangled photon source used 
has a timing signature that, together with precise coincidence timing data, 
can leak information to Eve. 

The two examples given here show that there may be complex interactions 
between timing data and other channels which may leak information. For 
this reason we make the following assumption (for both DIQKD and typical 
QKD security models), which is likely to be untrue in many implementations: 

Assumption 4.5. There are no correlations between coincidence timing data 
and the raw key. 
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4.5.3 The role of DIQKD 



With so many assumptions necessary for security, one may wonder if there 
is any benefit to DIQKD. However, these assumptions are also necessary for 
security in QKD. Certainly there are fewer assumptions in DIQKD because of 
the adversarial device model used. The practical value of DIQKD is limited 
because of the lower key rates it achieves, but the theoretical value is high 
because DIQKD places an emphasis on carefully analyzing the assumptions 
necessary for security and introduces new tools for security analysis. 
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Chapter 5 



Black box state 
characterization 
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5.1 Introduction 



In the previous chapters we have concentrated on using black box devices 
for specific tasks, which has limited our investigation to particular technical 
properties that allow us to achieve the goals for each task. In this chapter 
we expand the context and consider characterizing a black box state source 
without reference to its final use. In particular, we will use robust measures 
of the quality of the state source with an operational interpretation that will 
allow us to estimate its behaviour in any context. 



5.1.1 Reference experiment 

The reference experiment that we will consider is the typical CHSH setup, 
with a state source emitting a bipartite state, measured by a pair of devices, 
each with two measurement settings. The measurements statistics are boiled 



down into a single number, the CHSH value, as defined in section 4.2.4 
Using this value alone we wish to estimate the state emitted by the source, 
comparing it to an EPR pair, | </>+). 

The reference experiment consists of an EPR pair, with measure- 
ments A) = X, A x = Z, B = -±(X + Z), and B x = -±(X-Z). The CHSH 

value for the reference experiment is 2y/2. 



5.1.2 Measures of quality 

A major obstacle in this line of research is choosing a suitable measure of 
quality for the state. Although our reference state is already chosen, there are 
many options for how we may compare it to the physical state. Complicating 
the picture is the fact that the physical state has an unknown dimension. 
Finding a measure that has a reasonable operational interpretation across 
all possible physical states is challenging. In this chapter we will develop 
several measures and compare them. We will also prove several bounds. The 
picture is incomplete, however, as we shall see. For certain measures proving 
a bound is problematic, while for less desirable bounds (from an operational 
perspective) the bounds are reasonably easy to find. 
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5.1.3 Literature review 



There has been limited work in this area to date. The results in this chapter 
are all joint work with co-authors Bardyn, Liew, Massar and Scarani and are 
published in |BLM + 09| . Certain aspects were anticipated by Mayers and Yao 



[MY04] in their work on self-testing of EPR pairs discussed in section 3.4 



Various articles on the CHSH inequality are also relevant, particularly the 
work by Horodecki et al. [HHH95] , which may be seen as a non-robust version 
of the results in this chapter. Their work shows that any two qubit state that 
maximally violates the CHSH inequality must be maximally entangled. Also, 
the authors developed a method of calculating the maximal CHSH value 



achievable for any two qubit state, which we used in the proof of Lemma [476 
(although the notation we used was based on |VW02] .) 



5.1.4 Contributions 

In this chapter we develop several measures of quality for an entangled pair 
source and prove bounds on them. The definition of these measures presents 
a significant technical challenge because of the black box nature of the test 
and the fact that we compare the physical state to a fixed reference state. 
These two aspects of the problem mean that the measures must be defined 
regardless of the dimension of the state and nevertheless have a consistent 
interpretation that does not depend on the dimension. 

We are able to prove bounds for several of the measures of quality that we 
define. In particular, we have a complete characterization for qubits: a lower 
bound and a set of states that achieve the bound, proving that it is tight. 
When we extend the definition to arbitrary dimensions we have some partial 
results. For the most restrictive definition (Fmy, defined below) we have 
a conjectured lower bound for pure states, and examples that saturate this 
bound. For the least restrictive definition (Flocc) we have a lower bound, 
but no examples that saturate it. This bound is conjectured to be tight. 
Meanwhile, for the final measure (Flo), which is bounded above and below 
by the previous two measures, we have a lower bound but conjecture that it 
is not tight. 

The material in this chapter was published in |BLM + 09| and is joint work 
with the co-authors. 
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5.2 Two qubits 



Although our ultimate goal will be to have no assumptions on the dimension 
of the physical state, we will first investigate the case of two qubits, both 
because it is easier to analyze and because the bound we derive will be useful 
when we move to the case of higher dimensions. 



5.2.1 Fidelity and trace distance 

In the case where the physical state is known to be two qubits it is quite 
easy to measure the quality of an entangled pair. We simply choose an 
appropriate distance function on states. The most meaningful distance, from 
an operational point of view, is the trace distance given by[j] 

IIP " *\\tt = \M\P - °\) = ^Tr (yiT^f) (5-1) 

which measures how distinguishable two states are by any procedure. Wa- 
trous' lecture notes [Wat08b] provides a good introduction. 
An easier figure to calculate is the fidelity, given 

F(p,a) = Ti( y /pa y /p). (5.2) 

Watrous' lecture notes |Wat08c] again give a good introduction. The fidelity 
is related to the trace distance by 

1 - y/F(p, a) < | \p - a\ \ Tr < Vl - F(p, a) (5.3) 

(the Fuchs-van de Graaf Inequalities) which is saturated on the right when 
p and a are both pure. Since the fidelity is easier to calculate, we will use it 
for the remainder of this chapter. 

It is often convenient to calculate the fidelity by means of a purification 
using the following Lemma (with a proof appearing in Watrous' lecture notes 
|Wat08cj .) 



1 The trace distance is sometimes given without the factor of |, particularly in Watrous' 
lecture notes. 

2 The fidelity is also sometimes given as the square root of this value, particularly in 
Watrous' lecture notes. 
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Lemma 5.1 (Uhlmann's Theorem). Let p and a be given with \ip) any pu- 
rification of p. Then 

F(p,a)= max | | 2 . (5.4) 

| <f>) purification of a 

As well, if p = I^X^I is pure (as frequently will be the case in our discus- 
sion) then 

F(\^M,a) = ^\a\^). (5.5) 
5.2.2 Measuring the state 

Suppose we have a bipartite state p on a pair of qubits. Our reference state 
will always be a pair of maximally entangled qubits: \(f>+). Ideally we would 
like to bound the trace distance between these two states: 

Hp- \\tt ( 5 - 6 ) 

but we will settle for estimating the fidelity, F(p, |0+)(0+|), which will also 
provide a bound on the trace distance. There is some ambiguity, though, 
since we have no natural local bases when considering p, and our description 
of the reference state assumes that the local bases are known. To this end 
we define Fmy as 

F MY (p)= max F{U ®Vptf ®V\\<t> + ){<t> + \). (5.7) 

U,V unitary 

The maximization takes into account our lack of preference for particular 
local bases for p. The value of F MY (p) will vary between 1/4 for a maximally 
mixed state and 1 for a maximally entangled state. 

Another measure that we will use allows for arbitrary local operations, 
rather than just changes of bases. For pure states this will not offer any 
advantage, but for mixed states it allows a slightly higher fidelity. We define 
this by 

Definition 5.1. Let a two qubit state p be given. Then 

F LO (p) = max F($4 <g> $ B (p), |0+)(0 + |) (5.8) 

<S> A ,^B 

where $a and $ B range over completely positive trace preserving maps taking 
qubits to qubits. 
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By the simple fact that unitary operations are local, we know that Fmy < 
Flo- For pure states the two quantities are equal; if the state is a product 
state then unitaries will take it to 1 00) giving the highest possible fidelity for 
a product state (mixed or not). If the state is entangled than no operation 
can increase the entanglement; only a change of basis is required. 

In the case of mixed states, however, we may find strict inequality. Any 
separable state may be replaced by a pure product state. In the case of 
the completely mixed state, for example, we find Fmy{I/2) = 1/4 while 



5.2.3 Model for measurement operators 

We will model the measurement operators for the CHSH test as two-outcome 
observables. Thus, each measurement operator will be Hermition with eigen- 
values ±1. For qubits an important consideration is whether we allow all 
eigenvalues to be 1 or —1, that is, whether we allow / or —I as a measure- 
ment operator. More generally speaking, how do we model a fixed outcome? 
We may model a fixed outcome by a / or —I as the measurement, or by 
using eigenvectors of some non-trivial measurement as the state. 

Generally speaking this will not pose a problem. We will be only in- 
terested in cases where S > 2 since if S < 2 then the experiment may be 
simulated with a local hidden variable model and we have no interest. For 
S > 2, a non-trivial measurement must be used. 

5.2.4 Bound for qubits 

We will prove the following Theorem: 

Theorem 5.1. Let a two qubit state p be given. Then 



Furthermore, the bound is saturated for S > 2 by the states cos#|00) + 
sin0|ll). 

There are many ways of approaching this proof. For a different proof, see 
Bardyn et al. [BLM+09] . 



F LO (//2) = 1/2 = F LO (|00>). 




(5.9) 
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Proof. Lower bound 

We begin much as in section 4.4.5| by reducing to the case of Bell diagonal 
states. Suppose that S max (p) is achieved for measurements A a , and B^. 
We may choose any basis we like for our discourse, so we suppose that the 
measurements are all in the X, Z plane. Note that if we apply Y ® Y to p 
then all the outcomes on both sides are flipped, but S is not affected since the 
only thing that matters is whether the outcomes are the same or different. 
As in the proof for Lemma [4~5] we may thus construct a new state by applying 
Y g) Y with probability 1/2, and the local bases may be chosen so that the 
off-diagonal entries of the density matrix in the Bell basis are all imaginary. 
As well, complex conjugation does not affect S since the measurements are 
all in the real plane. We may thus take an equal mixture of the state and its 
complex conjugate to obtain a state 

a= ^(p + p* + Y ®Y(p + p*)Y ®Y) (5.10) 

with S max (a) > S max (p). 
Now consider F MY (a) 

F MY (o-) = ( ( j )+ \o-\ ( j )+ ) (5.11) 

= (0+| p |0+> + (0+| P* l<M + (0+l Y®YpY®Y |0+}+<0+| Y®Yp*Y®Y |0+> . 

(5.12) 

Since |0+) has all real entries, complex conjugation does not matter. Also, 
we may rewrite 

Y <g> YpY <g> Y |0+) = Tr(Y <g> Y |0+)(0+| Y <8> Y p) . (5.13) 

The reader may verify that Y <8> Y |0+) = — |0+). Finally, since complex 
conjugation and multiplying by Y <8> Y do not change the state |0+), we 
conclude that the optimal basis for p is also the optimal basis for the other 
states in the mixture as well. Combining these facts, we obtain 

F MY (a) = F MY (p). (5.14) 

Let / be defined by 



(-)- 1 

f(S) = • ( 5 - 15 ) 
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Note that / is increasing. If we find that Fmy^) > f{S) then we obtain 

Fmy(p) = F MY {a) > f(S max (a)) > f{S max {p)). (5.16) 

Thus we may restrict ourselves to Bell diagonal states. 

We now assume that p is Bell diagonal with eigenvalues A0 + ,A 2 ,A 3 ,A 4 
with largest eigenvalue A<^ + (if this is not the case, then a local change of 
basis will make it so and keep the state Bell diagonal). The ordering of the 



remaining eigenvalues is not important. Following the proof of Lemma 4J) 
we find 



S max {p) = 2V2^J (A 0+ - A 2 ) +(A 3 -A 4 ) 2 (5.17) 

for some ordering of the remaining eigenvalues. For a particular value of 
the largest possible value of S max occurs when X 2 = A4 = and A3 = 1 — A^ + , 
hence 



0+/ 



1 -2A„ 



- 1 



< 2(AJ + - A, 



+ 



i+v(V) - 1 



< A 



<t>+ 



2 A*, - 



'MY 



(5.18) 
(5.19) 

(5.20) 



Tightness of the bound 

We claim that the states 



cos# 1 00) + SU16 1 1 11) saturate the bound. 



We first refer the reader to the proof of Lemma 4J3 The matrix E! for this 
state is 

'2cos#sin# 0' 

-2 cos 9 sin^ ) . (5.21) 

1/ 

Then S max = 2Vl + 4 cos 2 #sin 2 9. Meanwhile, F MY (\ip)) is just | (?/#+) | 2 = 
I (cos 6* + sin9) 2 since it is obvious that no unitary operation can improve 
this. (This fact is proven in Lemma 5.4 below.) We then find 

1 + 



Smax (p) 



1 



1 + 2 cos 9 sin 9 



and the state saturates the bound. 



(5.22) 



□ 
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The above bound immediately extends to F LO if we replace p with 1 00) 
whenever p has S ma x(p) < 2. Hence we obtain the following Lemma. 

Lemma 5.2. Let a bipartite state p be given. Then 



Flo(p) > ^ 1 • (5.23) 

Further, this bound is tight. 

Note that the bounds for Fmy and Flo coincide for S > 2. As mentioned 
previously, arbitrary operations do not improve on F MY for pure states, so 
the pure state also saturate this bound for S > 2. For S < 2, any state 
can be transformed to a pure product state using LO and a deterministic 
strategy gives S = 2, so the bound is saturated for these states as well. 

Later we will use the qubit bound when considering bounds for higher 
dimensional systems. In that application we will need to apply convexity 
arguments and the following Lemma will be useful. 

Lemma 5.3. Define f by 



f(S) = . (5.24) 

Then f(x) is concave down on the domain 2 < x < 2\/2. 

Proof. We instead consider g(x) = \ / x 2 — 1 for 1 < x < y/2. The second 
derivative of g(x) is 

- rf^f <^> 

(x 2 — 1) 

For 1 < x < \/2 this is always negative. Hence g(x) and f(x) are concave 
down. □ 



5.3 Measures of quality for higher dimensions 

For higher dimensional physical systems we run into an important question 
of definition: how do we compare a physical state on a state of arbitrary 
dimension with one of a fixed dimension? The only reasonable reference state 
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to compare the physical state with is a maximally entangled pair of qubits 
since these are the only states that maximally violate the CHSH inequality, 
and without further information about the physical state we cannot rule out 
the two qubit case either. We present several approaches to this problem. 
The most useful measure will likely depend on the intended application. 

5.3.1 Mayers- Yao type fidelity 

We begin using the approach begun by Mayers and Yao in [MY04J and contin- 
ued by Magniez et al. in [MMMO06] . Let \^) AB be a bipartite pure physical 
state. Mayers and Yao evaluate the physical state by asking whether or not 
there exists a state of the form \ip') AB <8> \4>+) ab th & t * s equivalent to \ip) 
under local unitary transformations. Later, Magniez et al. make the notion 
robust by considering the quantity 



where U and V are unitary transformations. We may easily transform this 
to match the fidelity measure we use for qubits as follows (abusing notation 
a little). 

Definition 5.2. Let a pure bipartite physical state be given. Then F my i^)) 
is defined by 



where U and V are unitary transformations and \if)') is any state on the 
appropriate space. 

We may extend this definition to mixed states by replacing with 
a mixed state p' . We need to keep the transformations unitary however, 
otherwise we could always take \if>') to be a maximally mixed state and have 
the transformation completely mix the corresponding portion of the physical 
state. 

With this definition we are able to provide a complete characterization 
for pure states in the following Lemma. This relies on the singular value 
(Schmidt) decomposition for pure bipartite states. 




(5.26) 



max F{U A ®V B \^)M')\<t> + )). 

J 1/ \ih'\ 



(5.27) 
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Lemma 5.4. Let bipartite \ip) be given with 

M = 5>i l«i> l*i> ■ (5-28) 
j 

Then 2 

^(|^)) = E (A2 ' + 2 W - ( 5 - 29 ) 
i 

Proof. The closest state of the form |?) ® has Schmidt decomposition 

w = !<-,■> !<*,■> ( 5 - 3 °) 

with /i 2 ; = H21+1- For concreteness, we may assume that the XjS and /ijS are 
both in decreasing order 

We first show that we may take \cj) = \aj) and \dj) = \bj). Note that 

I I < ^2 ^ fc l (°il Cfe ) I- ( 5 - 31 ) 

Let us define the matrix M by 

M jk = \(a>j\ck) (bj\d k )\. (5.32) 

The values | (a>j\bk) \ for various fc and fixed j form a vector of norm 1 since 
\bk) is a basis and \a,j) has norm 1. The same is true for the values | (bj\dk) \ 
and if we fix k and vary j instead. Thus columns (and rows) of M are formed 
by entrywise products of norm 1 vectors and the sum of each row and column 
of M is at most 1. This means that we can find a new matrix iV with positive 
entries such that M + N is doubly stochastic. Note that 

I (V#> I < X M M + N )jk- (5.33) 

jk 

By the Birkhoff-von Neumann Theorem we may write M + iV as a convex 
combination of permutation matrices, thus 

M + N = J2p m P m (5.34) 

m 
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with J2 m p m = 1 and P m permutation matrices. Since the combination is 
convex, there exists some m for which 

\{^\(t>)\<Y, X M P m) jk - (5.35) 

jk 

The permutations merely reorder the /ijS and it is easy to prove that the 
maximum is achieved when the AjS and /ijS are both in decreasing order. 
Hence P m = I satisfies the above equation. We may achieve this by choosing 
the bases \cj) = \dj) and \dj) = \bj), so we need not consider any other bases. 

We now optimize over fij subject to the condition /i 2 ; = ^21+1- By the 
Cauchy-Schwarz inequality we have 



I (V#> I 2 = |X)(Aa + Aa+O^a 

< + X 2l+1 f j (j>|j (5.36) 

with equality when ji and A are collinear. Thus we set 

A 2 / + A 2 ;+i , s 

H21 = H21+1 = (5.37) 

with N a normalization constant equal to 



iV = ^2^(A 2i + A 2i+1 ) 2 . (5.38) 

With these values, we obtain 

F«k(W) = IW>P = £^±W (5.39) 



□ 



5.3.2 Local operations and LOCC 

The Flo we defined for qubits could be extended in a number of ways. In 
particular, Fmy defined in the previous section reduces to Fmy in the case 
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where the physical state is a pair of qubits, which is equal to F LO for states 
with S > 2. Here we will extend it in another way. We begin with a physical 
bipartite state p and ask the question "What is the most entangled pair 
of qubits we can obtain through local operations?" This gives rise to the 
following definition: 

Definition 5.3. 

F LO (p) = max F($4 ® $ B (p), (5.40) 

with $a and $ B ranging over completely positive trace preserving maps from 
the spaces of the physical state a qubits. 

For qubits this definition is not the same as Fmy since arbitrary qubit 
channels are allowed instead of just unitaries. In the Lemma below we es- 
tablish a relationship between F MY and F lo . 

Lemma 5.5. Let bipartite p be given. Then 

Fmy(p) < F LO (p) (5.41) 

with equality if p is pure. 
Proof. Let p be given. Then 

F LQ (P) = maxF($(p),|0 + )(0 + |) (5.42) 

with LO the set of local operations that take the space AB to a pair of qubits. 
We may restrict this set to operations which only apply local unitaries and 
trace out everything but a pair of qubits to obtain 

Flo(p) > max F (tT X (U ® VpU* ® V^), |0+)(0+|) (5.43) 

where tr^ means tracing out everything but a pair of qubits. Since the 
fidelity cannot decrease when a system is traced out we have 

F LO {p) >™*F{U®VpU^®V\p'®\<P + ){<P+\) (5.44) 

for all p', and in particular for the p' which maximizes the expression and 
gives Fmy(p). Thus 

F LO {p) > Fmy(p) (5.45) 
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Now suppose that p = \ip)(ip\ AB - We may write an operation in LO 
as adding a pair of ancillas and a pair of target qubits, applying a pair of 
unitaries, and tracing out everything but the target qubits. Thus 

F LO (m = m^F(tr ABXaXb (U ® V \4>) AB \00) XaXb \00) YaYb ), \<f> + )(cf> + \ YaYb ) 

(5.46) 

Applying Uhlmann's Theorem, we obtain 

F LO (m) = max \ Wab {00 \ XaXb <00|^^ ® |0> ® \<P + ) YaYb \ 2 (5.47) 

The right hand side is equal to F MY (\tp) ® 1 00) ® 1 00) ) by definition. This 
in turn is equal to Fmy{\^)) since the value of Fmy for a pure state is only 
dependent on the Schmidt decomposition, which the product state ancillas 
do not change. Thus 

F LO (m = F MY {\^)). (5.48) 

□ 

For mixed states there exist cases with a strict inequality. For example 
F M y({) = j, but F LO ({) = \ since the class LO allows us to replace the 
state with 1 00) . 

The proof of the Lemma implies a construction for the optimal local 
operations for extract an approximate EPR pair. First take the singular 
value decomposition with singular values ordered in a decreasing fashion. 
Then pair them up and introduce some new variables to obtain 

M = E v 7 ^ (9 |2j) |2j) + s 3 \2j + 1) \2j + 1)) (5.49) 

j 

where + s| = 1 and X 2 j = PjCj , \2j+i — Pj s j, further implying that 
J2jPj = 1- The decreasing ordering implies that Cj and Sj are as close 
together as possible, overall. We can then think of the state as a direct sum 
of pairs of qubits, with each pair of qubits close as possible to an EPR pair. 
The optimal local operations consist of projecting onto the spaces spanned 
by \2j) and \2j + 1) for various j, and then mapping \2j) to |0) and \2j + 1) 
to |1) to obtain a qubit. 
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Larger classes of operations 



We may further extend the definition of Fmy on qubits using different classes 
of operations. Instead of considering local operations of the form $^4 ® $b 
we may instead consider separable maps or local operations with classical 
communication (LOCC). The latter is most interesting to us because they 
are the largest class of reasonably implementable operations that do not 
increase entanglement. (Separable operations are the largest class that do 
not increase entanglement, but they may require quantum communication to 
implement.) Thus we define one more measure of fidelity: 

Definition 5.4. 



with $ ranging over LOCC maps that take the state p to a pair of qubits. 
Since LOCC contains LO we have 



5.4 Bounds for higher dimensions 
5.4.1 Bounds for Fmy 

Recall that for pure states we are able to analytically calculate Fmy in terms 
of the singular values (Schmidt coefficients). Conveniently, Gisin and Peres 
|GP92j have studied the case of determing S max of a pure state in terms of 
the singular values. Although they were not able to find an analytic solution, 
they make the following conjecture 

Conjecture 5.1 (Gisin, Peres |GP92j ). Let a bipartite state be given 
with singular value decomposition 



FlocM = maxF($(p), 



(5.50) 



Fmy(p) < Flo < Flocc- 



(5.51) 



IV>> = I> (qj \2j) \2j) + Sj \2j + 1) \2j + 1)) . 



(5.52) 



J 



with PqCq > PqSq > p\C\ > p\Si > . . . . Then 




(5.53) 
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Later numerical studies by Liang and Doherty [LD06j supported the con- 
jecture. 

Gisin and Peres give an explicit construction for the measurement opera- 
tors which achieve their conjectured value of S max . The general idea is much 
the same as for the optimal local operations for pure states that achieve Flo, 



as discussed in section 5.3.2| The state is divided up into a direct sum of pairs 



of qubits, and the measurements are a projection onto one of the summands 
followed by the optimal measurement for that pair of qubits. 

We now prove that the Gisin-Peres conjecture implies a bound on Fmy 
in terms of S max for pure states. 



Lemma 5.6. If conjecture 5.1 holds, then for pure bipartite state AB we 
have 

F M y(m > 4( ^_ x) • (5-54) 

Furthermore, this bound is tight. 

Proof. We may write \ip) in the singular value decomposition with decreasing 
singular values y/p~jCj, y/p~jSj. Let 1^) = Cj |00) AB + Sj |11) AB . Mapping to 
a different space (possibly adding one more dimension on each side if the 
original dimension was not even on both sides) \ip) = y/p] Vl^j) ab \H)ab- 
Then the Gisin-Peres conjecture implies 

Smax(\lp)) = ^PjSmax (\4>j) A b) ' ( 5 ' 55 ) 



This may be seen as a result of the fact that the Gisin-Peres construction 
for the optimal measurement strategy is to project onto \jj) AB , obtaining 
the value j on both sides (with probability pj), and implement the optimal 
measurement strategy for Also, the fact that S max (c 1 00) + s |11)) = 

2 a/1 + Ac 2 s 2 completes the argument. This equation may be obtained using 



the techniques from the proof of Theorem 5.1 We set = S max (\^j)). 



Meanwhile, applying Lemma [5 A\ we find that Fmy may also be written 
Fmy 

and we set Fj = Fmy^]))- 
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Now we are in a position to prove the bound. Using the bound for qubits 
we find 



-j ^ / | -max(\i>j)) \ 2 _ Y 



Fmy = ^PjFMY^j)) = • ( 5 - 57 ) 

3 j 

We now know that the convex hull of the qubit bound provides our needed 
bound. We find the line connecting the extreme points, namely 5 = 2, Fmy 
I 2 for the state |00) and S = 2^2, F MY = 1 for the state By 



Lemma 5.3 this line is always below a convex combination of the qubit bound 



since the qubit bound is concave down. Hence 

F MY m > — ^/fTT) — ■ (5 - 58) 

Now consider the state 

m = VP \W)ab |00) ab + Vl^~P \H) AB (5.59) 

for some p with < p < 1. The construction for the CHSH measurement 
operators given by Gisin and Peres give S max (\ip)) to be 2p + (1 — p)2y / 2- 
Meanwhile, Fmy = p/2 + (1 — p). Thus these states saturate the conjectured 
lower bound. □ 

5.4.2 Bounds for Flocc 

Our main motivation for introducing Flocc is that we are able to obtain a 
tight bound, which we are unable to obtain for Flo- The bound obtained is 
the same is for Fmy-, and the proof is very similar. 

Lemma 5.7. Let a bipartite state p be given, then 

S max (p) + 2V2 - 4 
F L occ(p) > 4(v /2_ l} (5-60) 

Proof. We begin with optimal measurements A a and Bj, for a,b — 0, 1. Ap- 



plying Lemma 4.1 twice, we obtain a 2 x 2 block diagonalization for both 



sides, which we may turn into a 4 x 4 block diagonalization on the state as a 
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whole. We project p onto the blocks, obtaining a direct sum of four dimen- 
sional bipartite states PjkPjk, which we interpret as pair of qubits. We choose 
Pjk so that Tr(pjfc) = 1. The indices j and k indicate the block on the A and 
B sides respectively. Note that p may have off-diagonal entries as well, so 
it may not be the case that Ylijk PjkPjk = P, but because the measurements 
have the same block structure, S max is unaffected by the projection. 

We may interpret the measurement as first projecting onto block (j, k) 
with probability pjk obtaining reduced state pjk, followed by a two qubit 
measurement on p^. The measurement on the (j, k)th block must be optimal 
for pj k , otherwise we could increase S max (p). This fact allows us to write 

Smax(p) = ^ ~] SmaxjPjk)- (5.61) 

Meanwhile, to extract the approximate EPR pair using LOCC operations 
we first project onto block (j, k) obtaining the state pjk- We transmit j and 
k classically, so that the block is identified on both sides, then apply a local 
change of bases exactly as in the qubit case, allowing us to extract an EPR 
pair with fidelity F LO (pj k ). The combined fidelity is 

F LO cc(p)>J^F LO (p jk ). (5.62) 

jk 



From here we follow the latter half of the proof of Lemma 5.6, which we 
reproduce here using the current notation. Using the bound for qubits we 
find 



ma,x(S m ax(pjk),^) 



- 1 



Flocc > ^2PjkF L o(pjk) = ^Pjk g • ( 5 - 63 ) 

We now know that the convex hull of the qubit bound provides our needed 
bound. We find the line connecting the extreme points, namely S — 2, Flq 
1/2 for the state 1 00) and S = 2a/2, F^q — 1 for the state | </>+). By Lemma 



5.3 



this line is always below a convex combination of the qubit bound since the 
qubit bound is concave down. Hence 

S max (p) + 2y/2-4 
Flocc(p) > 4(v/2 -_ l} • (5-64) 

□ 
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At first it appears as though the bound is tight. Consider the states 



p = p |00>(00U ® |00)(00| AB + (1 - p) \<t> + )(<t> + \ AB ® |11)(H| AB (5.65) 

It appears that the optimal CHSH measurements would be to identify block 
(0,0) or (1,1) and apply the optimal CHSH measurement for either |00) in 
the case of block (0,0), or for \<p+) in the case of (1, 1). Similarly, the optimal 
LOCC operations seem to be to identify one of these blocks and map to a 
pair of qubits. However, we have no proof that either of these strategies is 
optimal. It may be the case that the CHSH measurements are optimal and 
the LOCC operations are not, in which case the bound would not be tight. 

Conjecture 5.2. The bound 

S max (p) + 2y/2-A 
FlocM > 4(v /2_ l} (5-66) 

is tight, saturated by the states 

p = p |00>(00U ® |00)(00| AB + (l-p) \4> + }{<f> + \ AB ® |H)(HUb • (5-67) 

5.4.3 Bounds for F LO 

For local operations there is a significant problem in using the proof tech- 
niques developed above. In particular, the block diagonalization into 2 qubit 
states is indexed by two variables j and k, with j the result of a projection 
on the A side and k the result of a projection on the B side. Since the 
operations necessary to fix the local bases may depend on both j and k, clas- 
sical communication is in general required to control the operations. When 
calculating Flo this becomes important since classical communication is not 
allowed. Nonetheless, we are able to obtain a bound. 

Lemma 5.8. Let a bipartite state p be given. Then 

Flo(p) > (5-68) 

The proof of this result is due to our coauthor on |BLM + 09j . Serge Massar. 
We omit the proof, but instead provide this insight: the main idea is to 
use the measurements to define local bases for each two qubit block. Since 
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the measurements are completely local in nature, this allows for only local 
operations. 

We conjecture that this bound is not tight. The reason is simply that the 
conjectured lower bound for F MY , which must also be a lower bound on F L q 
since F MY < F LO , is higher than the current bound on F LO - Another fact 
of interest is that, if the conjectured bound on F MY holds, and the bound 
on Flocc is tight, then all three measures would have the same tight lower 
bound since Fmy lower bounds them all and Flocc upper bounds them. 
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Chapter 6 

Concluding Remarks 



As we have demonstrated, the field of black box quantum computing is varied 
and fruitful. The general circuit testing construction of self-testing allows 
for wide application of the black box methodology, while a more tailored 
approach allows us to draw more specific conclusions for DIQKD and black 
box state characterization. Additionally, techniques developed here have 
application in other settings such as foundations and complexity. 

There remain important challenges as well. For all the results presented 
in this thesis we need to make additional assumptions in order to collect 
statistics about the devices. Even for DIQKD, we must assume that the 
devices have no memory. Finding a mechanism for collecting statistics with- 
out assuming independent and identical trials is the most important open 
problem in this field. 
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